基于虚拟化技术的非可信程序隔离运行环境研究

项目名称： 基于虚拟化技术的非可信程序隔离运行环境研究

项目编号： No.61202480

项目类型： 青年科学基金项目

立项/批准年度： 2013

项目学科： 计算机科学学科

项目作者： 温研

作者单位： 中国人民解放军63928部队

项目金额： 25万元

中文摘要： 程序隔离运行是一种抵御非可信软件安全威胁的防护机制，其目的是限制非可信软件可能造成的危害并尽可能地保证这些代码功能的完整性。但是，现有个人计算平台上的相关研究难以兼顾可用性与安全性，实用性较差。针对这一问题，本项目基于虚拟化技术增强需要执行非可信软件的个人计算机平台的安全性，采用"本地虚拟化技术"重用已有软件环境并通过优化隔离运行环境的性能来提升可用性，同时提供一种能够在虚拟层分析和跟踪被隔离软件行为的通用机制以增强其可监控性。具体包括：（1）基于虚拟化技术建立一种新的兼顾安全性与可用性的程序隔离运行模型，并研究以文件系统共享和动态操作系统迁移为核心的"本地虚拟化技术"；（2）研究以动态物理内存分配和内存共享为基础的虚拟机性能优化技术；（3）研究基于虚拟化平台的隐式操作系统信息重构和自隐藏恶意代码检测技术；（4）基于硬件虚拟化技术研究针对"虚拟机感知"恶意代码的防御模型。

中文关键词： 非可信软件；隔离运行环境；虚拟机；本地虚拟化；计算环境重现

英文摘要： The program isolated execution is protective mechanism against the security threats of untrusted software. It's introduced to bound the potential harm incurred by untrusted software while ensuring the integrity of such program's functions as much as possible. However, existing approaches focusing on the personal computing platforms still have not achieved a proper tradeoff between usability and security. Consequently, their practicality cannot satisfy the real-world's requirements. To address this issue, the project proposes a new virtualization-based technology to improve the security of the personal computer platforms. This project also presents a novel Local-Booted Virtualization Technology, which can reuse existing software environment, and a series of to performance optimization technologies to enhance the usability of the isolated execution environment. Besides, this project provides a general mechanism, which is capable of analyzing and tracking the behavior of the isolation software at the virtualization layer, to improve the monitorability of the isolated execution environment. This project puts the research emphasis on:(1) a new program isolated execution model based on the virtualization technology which can establish a balance between security and usability, and the Local-Booted Virtualization Techno

英文关键词： untrusted software；isolated execution environment；virtual machine；local virtualization；execution environment reproduction