面向云环境的VMM平台安全性加固综述

周启航; 贾晓启; 张伟娟; 姜楠

引用本文：

周启航,贾晓启,张伟娟,姜楠.面向云环境的VMM平台安全性加固综述[J].信息安全学报,2025,10(1):160-175 [点击复制]
ZHOU Qihang,JIA Xiaoqi,ZHANG Weijuan,JIANG Nan.A Survey of VMM Security Reinforcement on Virtualization Platform[J].Journal of Cyber Security,2025,10(1):160-175 [点击复制]

本文已被：浏览 79次下载 34次	码上扫一扫！
面向云环境的VMM平台安全性加固综述
周启航¹, 贾晓启^1,2, 张伟娟¹, 姜楠^1,2
0 字体:加大+\|默认\|缩小-
(1.中国科学院信息工程研究所北京中国 100093;2.中国科学院大学网络空间安全学院北京中国 100093)

摘要:

虚拟化技术作为云计算新时代下的新技术基础设施之一,是构建新型IT架构的承载技术。虚拟机监视器作为虚拟化和云计算中最重要的组件,对云平台的安全和稳定至关重要。然而,由于庞大且逐年增长的代码量、复杂且单一的设计模式和缺乏内部隔离,虚拟机监视器近年来不断爆出安全问题。虚拟机监视器控制着整个虚拟化平台的正常运转,一旦虚拟机监视器受到攻击,云平台的所有虚拟机将暴露于威胁之中。如何对虚拟机监视器进行安全性加固成为研究热点。因此,为了增强虚拟机监视器的安全性,本文从虚拟机监视器系统架构角度,全面系统性分析和总结了面向云环境的虚拟机监视器安全加固技术。首先,分析了Hypervisor模型、宿主模型和混合模型三种传统虚拟机监视器的架构模型和实际的虚拟机监视器软件(Xen,KVM和VMWare ESX Server),并总结它们架构中存在的弊端;其次,对近年来国内外的虚拟机监视器加固研究成果进行归纳,将其分为特权域安全加固、完整性保护、错误隔离强制、最小化虚拟机监视器、嵌套虚拟化加固和硬件加密保护等类别,并比较不同方案的优缺点;接着,本文提出了可信基大小、访问控制、错误隔离和性能与部署难度这四个评估维度来评价虚拟机监视器的架构安全性;最后,本文对下一步的虚拟机监视器安全性加固进行研究展望。

关键词: VMM安全加固虚拟化安全可信基架构安全

DOI：10.19363/J.cnki.cn10-1380/tn.2025.01.12

投稿时间：2020-03-19修订日期：2020-05-31

基金项目:本课题得到中国科学院网络测评技术重点实验室资助项目、网络安全防护技术北京市重点实验室资助项目、北京市科学技术委员会项目(No.Z191100007119010)、中国科学院国防科技重点实验室基金项目(No.CXJJ-20S022)资助。

A Survey of VMM Security Reinforcement on Virtualization Platform

ZHOU Qihang¹, JIA Xiaoqi^1,2, ZHANG Weijuan¹, JIANG Nan^1,2

(1.Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;2.School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100093, China)

Abstract:

As one of the new technological infrastructure in the new era of cloud computing, virtualization technology is the bearer technology for building a new IT architecture. Virtual machine monitor, the most important component in virtualization and cloud computing, is critical to the integrity, security and stability of cloud platform. However, the virtual machine monitor has been exposed to many security problems in recent years due to a large number of codes, a complex and monolithic design pattern and a lack of internal isolation. The virtual machine monitor controls the normal operation of the entire virtualization platform. Once the virtual machine monitor is compromised, all virtual machines on the cloud platform will be exposed to threats. How to reinforce the security of virtual machine monitor has become a research hotspot. Therefore, in order to better enhance the security of the virtual machine monitor, in this paper, we systematically analyze and summarize the security reinforcement technology of virtual machine monitor from the perspective of architecture security. Firstly, we introduce and analyze three traditional architecture models of virtual machine monitors: hypervisor model, hosted model and hybrid model, as well as three actual virtual machine monitor softwares (Xen, KVM and VMWare ESX Server), and summarize the potential safety hazard of their architectures. Secondly, we survey the domestic and foreign reinforcement researches of the virtual machine monitor in recent years, sum these projects up into privileged domain security hardening, integrity protection, error isolation enforcement, minimizing virtual machine monitor, nested virtualization reinforcement and hardware encryption protection, and compare the advantages and disadvantages of different researches. Thirdly, we institute four dimensions including trusted computing base size, access control, error isolation and performance and deployment difficulty to evaluate the design of virtual machine monitor. Finally, we discuss the challenges and looks forward to the next step of virtual machine monitor security reinforcement.

Key words: VMM Security reinforcement virtualization security TCB architecture security