隔离运行环境关键技术研究
|
摘要
随着网络技术的发展和硬件性价比的不断提高,网络应用模式发生了深刻变化,个人用户越来越频繁地从Internet上下载和执行软件,个人计算平台逐渐由终端设备变为参与网络计算的基本元素。这一变化造成了网络上非可信软件对个人计算平台更为严峻的安全威胁,对当前个人计算平台的防护机制提出了新的挑战。构造一个透明的隔离运行环境,使其能够隔离非可信软件的潜在安全威胁,同时保证被隔离软件的有效运行,并监控其行为,成为个人计算平台抵御下载执行的非可信软件安全威胁的重要技术途径。
隔离运行环境的构造面临两大问题:一是如何在充分隔离的前提下保证被隔离软件正确执行并且性能可以接受;二是如何在充分隔离的前提下鉴别或抑止非可信软件的恶意行为。本文借鉴虚拟机技术,提出了隔离运行环境的安全隔离性、功能完整性、性能适应性和行为可监控性的概念,在确保操作系统隔离的前提下,通过重现宿主操作系统软件环境来提高隔离运行环境的功能完整性,通过优化隔离运行环境性能来提升其性能适应性,并提出了一种在虚拟层监控被隔离软件行为的通用机制。本文的主要贡献有以下几点:
1.提出了一种新的基于硬件抽象层虚拟机技术的隔离运行模型(Safe Virtual Execution Environment,简称SVEE)。SVEE能够在支持操作系统隔离的前提下重现宿主计算环境,并满足Bell-LaPadula机密性模型和Biba完整性模型。同时,在该模型下,被保护的宿主环境的容侵能力也得到了有效提升。SVEE在执行非可信软件所需的安全隔离性、功能完整性、性能适应性与行为可监控性之间找到了合适的平衡点。基于此模型,本文提出了独立于操作系统的SVEE体系结构,该体系结构具有很好的可移植性。
2.针对计算环境重现带来的文件系统冲突问题和操作系统迁移带来的软硬件配置不兼容问题,本文提出了以卷快照技术和动态操作系统迁移技术为核心的本地虚拟化技术,有效实现了可配置的计算环境重现,显著提升了隔离运行环境的功能完整性。测试结果证明SVEE能够有效支持多种不同软硬件配置的运行环境。
3.为了提高SVEE隔离运行环境的性能,本文提出了针对指令虚拟化的动态指令转换优化技术和针对内存虚拟化的动态物理内存分配技术,提升了隔离运行环境的性能适应性。SPEC 2006的测试结果显示SVEE隔离运行环境的性能接近于直接在宿主环境运行的性能(平均性能下降仅为4.41%);而动态物理内存分配技术则平均减少内存消耗6.82%,同时处理器开销平均增加不到3%。
4.为了支持在虚拟层有效地监视和分析隔离运行环境内非可信软件的行为,针对虚拟层只能获取硬件层的相关数据而无法直接获取操作系统层语义信息的问题,本文提出并实现了隐式操作系统信息重构平台,使得SVEE及其它相关应用都能够在不借助操作系统API的情况下,利用硬件层的信息重构出操作系统层的语义信息,有效提升了隔离运行环境的行为可监控性。基于此平台,构造了自隐藏恶意代码检测系统,该系统能够有效的检测出比现有检测机制更多的自隐藏恶意代码。
5.针对能够感知虚拟机存在并隐藏自身恶意行为的所谓“虚拟机感知”恶意代码,本文建立了基于硬件虚拟化技术的防御模型,该模型通过模拟已有虚拟机的各种指纹故意使此类恶意代码感知到虚拟机的存在,进而使其主动放弃恶意行为的执行。测试结果证明原型系统MiniVMM能够将运行中的操作系统动态地在本地模式和虚拟化模式间切换,并能准确模拟各类虚拟机指纹,进一步提高了对恶意代码行为的抑止能力。
综上所述,本文针对隔离运行环境的安全隔离性、功能完整性、性能适应性和行为可监控性提出了有效的解决方案,对于提高个人计算平台抵御非可信软件安全威胁的能力具有重要的理论意义和应用价值。
With the continuous development of the network technology and the significant raising of the hardware’s performance-price ratio, the application patterns of the network have changed greatly. The users of the personal computing platforms are willing to download and execute freeware/shareware on the Internet. The personal computing platforms are changing from the terminal devices to serve as the basic components of the network computing. However, this evolvement incurs more serious security threats to the personal computing platforms. Consequently, these threats come up with several new challenges to the existing protecting mechanisms. Constructing a transparent isolated execution environment, which can confine the potential threats of the untrusted software and monitor the behavior of this software without negating its functionality benefits, will serve as the important technology approach to protect the personal computing platforms against the security threats of the untrusted software.
Building such an isolated execution environment has to be faced with two challenges. The first challenge is how to achieve both the full isolation and the functionality benefits of the isolated software while the performance overhead is acceptable. The second challenge is how to identify and confine the potential malicious behavior of the untrusted software while guaranteeing the full isolation. This dissertation introduces the virtual machine technology and proposes four concepts, exploring security isolation, functional integrity, performance adaptability and behavior inspectability. In addition, this dissertation makes an in-depth study on how to improve the functional integrity and performance adaptability while guaranteeing the security isolation. Besides, a new technology is proposed to inspect and analyze the isolated software’s behavior at the virtualization layer. Having solved the challenges arising in the whole lifetime of untrusted code, exploring introduction, execution, verification and submission to the host environment, this dissertation makes five contributions as follows:
1. Existing isolation execution technology cannot achieve both the OS isolation and execution environment reproduction. To address the dilemma, this dissertation proposes a new virtual machine based isolation model - Safe Virtual Execution Environment (SVEE). This model supports both OS isolation and execution environment reproduction. In addition, this dissertation proves in theory that SVEE isolation model satisfies the Bell-LaPadula confidentiality model and the Biba integrity model. Besides, this model will notablely improve the intrusion-tolerant ability of the host execution environment which is just the protecting concern for the personal users. SVEE achieves the balance among security isolation, functional integrity, performance adaptability and behavior inspectability of the isolated execution environment. Based on this model, an OS-independent architecture is built for SVEE.
2. To resolve the file system confliction induced by the execution environment reproduction and the software/hardware incompatibility caused by the OS migration, SVEE comes up with a so-called local virtualization technology which is composed of volume snapshot technology and dynamic OS migration technology. By dint of them, SVEE effectively accomplishes the configurable execution environment reproduction, so it improves the functional integrity of the isolated code. The evaluation results show that SVEE can run on various PCs definitely well.
3. In order to improve the performance of SVEE, SVEE introduces the dynamic instruction translation technology and dynamic physical memory allocation technology. These two technologies enhance the performance integrity of the isolated code. The evaluation results of SPEC 2006 illustrate that the computing-intensive benchmarks run essentially at native speed on SVEE (suffering a slowdown of 4.41% on average). Experimental data of the dynamic physical memory allocation technology shows an overall performance improvement of 6.82% while exacting an overhead of 3% to CPU.
4. For providing the ability to inspect and analyze the behavior of untrusted code at the virtualization layer, SVEE brings forward a new implicit OS information reconstruction technology. In virtue of this technology, SVEE is capable of reconstructing the OS layer semantic information from the collected hardware layer information without the help of OS APIs. Consequently, this technology effectively improves the inspectability of the isolated code. SVEE also constructs a stealth malware detection system. The evaluation results with real-world rootkits, which are widely used by stealth malware, demonstrate that this system can detect more stealth malware than existing detectors.
5. With security researchers relying on the virtual machine (VM) in their analysis work, so-called VM-aware malware has a significant stake in detecting the presence of a virtual machine to avoid executing its vicious behavior. But hiding the virtualization from malware by building a transparent virtual machine monitor (VMM) is fundamentally infeasible, as well as impractical from a performance and engineering standpoint. This dissertation proposes a new approach called MiniVMM from another perspective: hiding the“real”machine from the VMM-aware malware. Instead of building a transparent VMM, MiniVMM advisedly exposes the VMM fingerprints to prevent the computer against VMM-aware malicious programs by deceiving them into deactivating their destructive behavior by themselves. Ulteriorly, MiniVMM enhances the inspectability of the isolated code.
As a summary, this dissertation proposes a feasible approach which provides security against potential malware along with untrusted code while improving the functional integrity, performance adaptability and behavior inspectability of this isolated software. In the point of view of improving the personal computing platforms’security, this approach owns desirable theoretic value and application significance.
隔离运行环境的构造面临两大问题:一是如何在充分隔离的前提下保证被隔离软件正确执行并且性能可以接受;二是如何在充分隔离的前提下鉴别或抑止非可信软件的恶意行为。本文借鉴虚拟机技术,提出了隔离运行环境的安全隔离性、功能完整性、性能适应性和行为可监控性的概念,在确保操作系统隔离的前提下,通过重现宿主操作系统软件环境来提高隔离运行环境的功能完整性,通过优化隔离运行环境性能来提升其性能适应性,并提出了一种在虚拟层监控被隔离软件行为的通用机制。本文的主要贡献有以下几点:
1.提出了一种新的基于硬件抽象层虚拟机技术的隔离运行模型(Safe Virtual Execution Environment,简称SVEE)。SVEE能够在支持操作系统隔离的前提下重现宿主计算环境,并满足Bell-LaPadula机密性模型和Biba完整性模型。同时,在该模型下,被保护的宿主环境的容侵能力也得到了有效提升。SVEE在执行非可信软件所需的安全隔离性、功能完整性、性能适应性与行为可监控性之间找到了合适的平衡点。基于此模型,本文提出了独立于操作系统的SVEE体系结构,该体系结构具有很好的可移植性。
2.针对计算环境重现带来的文件系统冲突问题和操作系统迁移带来的软硬件配置不兼容问题,本文提出了以卷快照技术和动态操作系统迁移技术为核心的本地虚拟化技术,有效实现了可配置的计算环境重现,显著提升了隔离运行环境的功能完整性。测试结果证明SVEE能够有效支持多种不同软硬件配置的运行环境。
3.为了提高SVEE隔离运行环境的性能,本文提出了针对指令虚拟化的动态指令转换优化技术和针对内存虚拟化的动态物理内存分配技术,提升了隔离运行环境的性能适应性。SPEC 2006的测试结果显示SVEE隔离运行环境的性能接近于直接在宿主环境运行的性能(平均性能下降仅为4.41%);而动态物理内存分配技术则平均减少内存消耗6.82%,同时处理器开销平均增加不到3%。
4.为了支持在虚拟层有效地监视和分析隔离运行环境内非可信软件的行为,针对虚拟层只能获取硬件层的相关数据而无法直接获取操作系统层语义信息的问题,本文提出并实现了隐式操作系统信息重构平台,使得SVEE及其它相关应用都能够在不借助操作系统API的情况下,利用硬件层的信息重构出操作系统层的语义信息,有效提升了隔离运行环境的行为可监控性。基于此平台,构造了自隐藏恶意代码检测系统,该系统能够有效的检测出比现有检测机制更多的自隐藏恶意代码。
5.针对能够感知虚拟机存在并隐藏自身恶意行为的所谓“虚拟机感知”恶意代码,本文建立了基于硬件虚拟化技术的防御模型,该模型通过模拟已有虚拟机的各种指纹故意使此类恶意代码感知到虚拟机的存在,进而使其主动放弃恶意行为的执行。测试结果证明原型系统MiniVMM能够将运行中的操作系统动态地在本地模式和虚拟化模式间切换,并能准确模拟各类虚拟机指纹,进一步提高了对恶意代码行为的抑止能力。
综上所述,本文针对隔离运行环境的安全隔离性、功能完整性、性能适应性和行为可监控性提出了有效的解决方案,对于提高个人计算平台抵御非可信软件安全威胁的能力具有重要的理论意义和应用价值。
With the continuous development of the network technology and the significant raising of the hardware’s performance-price ratio, the application patterns of the network have changed greatly. The users of the personal computing platforms are willing to download and execute freeware/shareware on the Internet. The personal computing platforms are changing from the terminal devices to serve as the basic components of the network computing. However, this evolvement incurs more serious security threats to the personal computing platforms. Consequently, these threats come up with several new challenges to the existing protecting mechanisms. Constructing a transparent isolated execution environment, which can confine the potential threats of the untrusted software and monitor the behavior of this software without negating its functionality benefits, will serve as the important technology approach to protect the personal computing platforms against the security threats of the untrusted software.
Building such an isolated execution environment has to be faced with two challenges. The first challenge is how to achieve both the full isolation and the functionality benefits of the isolated software while the performance overhead is acceptable. The second challenge is how to identify and confine the potential malicious behavior of the untrusted software while guaranteeing the full isolation. This dissertation introduces the virtual machine technology and proposes four concepts, exploring security isolation, functional integrity, performance adaptability and behavior inspectability. In addition, this dissertation makes an in-depth study on how to improve the functional integrity and performance adaptability while guaranteeing the security isolation. Besides, a new technology is proposed to inspect and analyze the isolated software’s behavior at the virtualization layer. Having solved the challenges arising in the whole lifetime of untrusted code, exploring introduction, execution, verification and submission to the host environment, this dissertation makes five contributions as follows:
1. Existing isolation execution technology cannot achieve both the OS isolation and execution environment reproduction. To address the dilemma, this dissertation proposes a new virtual machine based isolation model - Safe Virtual Execution Environment (SVEE). This model supports both OS isolation and execution environment reproduction. In addition, this dissertation proves in theory that SVEE isolation model satisfies the Bell-LaPadula confidentiality model and the Biba integrity model. Besides, this model will notablely improve the intrusion-tolerant ability of the host execution environment which is just the protecting concern for the personal users. SVEE achieves the balance among security isolation, functional integrity, performance adaptability and behavior inspectability of the isolated execution environment. Based on this model, an OS-independent architecture is built for SVEE.
2. To resolve the file system confliction induced by the execution environment reproduction and the software/hardware incompatibility caused by the OS migration, SVEE comes up with a so-called local virtualization technology which is composed of volume snapshot technology and dynamic OS migration technology. By dint of them, SVEE effectively accomplishes the configurable execution environment reproduction, so it improves the functional integrity of the isolated code. The evaluation results show that SVEE can run on various PCs definitely well.
3. In order to improve the performance of SVEE, SVEE introduces the dynamic instruction translation technology and dynamic physical memory allocation technology. These two technologies enhance the performance integrity of the isolated code. The evaluation results of SPEC 2006 illustrate that the computing-intensive benchmarks run essentially at native speed on SVEE (suffering a slowdown of 4.41% on average). Experimental data of the dynamic physical memory allocation technology shows an overall performance improvement of 6.82% while exacting an overhead of 3% to CPU.
4. For providing the ability to inspect and analyze the behavior of untrusted code at the virtualization layer, SVEE brings forward a new implicit OS information reconstruction technology. In virtue of this technology, SVEE is capable of reconstructing the OS layer semantic information from the collected hardware layer information without the help of OS APIs. Consequently, this technology effectively improves the inspectability of the isolated code. SVEE also constructs a stealth malware detection system. The evaluation results with real-world rootkits, which are widely used by stealth malware, demonstrate that this system can detect more stealth malware than existing detectors.
5. With security researchers relying on the virtual machine (VM) in their analysis work, so-called VM-aware malware has a significant stake in detecting the presence of a virtual machine to avoid executing its vicious behavior. But hiding the virtualization from malware by building a transparent virtual machine monitor (VMM) is fundamentally infeasible, as well as impractical from a performance and engineering standpoint. This dissertation proposes a new approach called MiniVMM from another perspective: hiding the“real”machine from the VMM-aware malware. Instead of building a transparent VMM, MiniVMM advisedly exposes the VMM fingerprints to prevent the computer against VMM-aware malicious programs by deceiving them into deactivating their destructive behavior by themselves. Ulteriorly, MiniVMM enhances the inspectability of the isolated code.
As a summary, this dissertation proposes a feasible approach which provides security against potential malware along with untrusted code while improving the functional integrity, performance adaptability and behavior inspectability of this isolated software. In the point of view of improving the personal computing platforms’security, this approach owns desirable theoretic value and application significance.
引文
[1] Cohen F. Computational Aspects of Computer Viruses[J]. Computers & Security. 1989, 8(4): 325-344.
[2] Chess D M, White S R. An Undetectable Computer Virus[C]. Virus Bulletin Conference, Orlando, Florida, USA. 2000: 1-8.
[3] Reiner S, van Leendert D, James W. The Role of TPM in Enterprise Security[R]. IBM Research Division, Technical Report RC23363: 2004.
[4] European Multilaterally Secure Computing Base: Towards Trustworthy Systems with Open Standards and Trusted Computing[Z]. http://www.emscb.com/content/ pages/49373.htm. Access at Feb 3, 2008.
[5] Chen P M, Noble B D. When Virtual is Better than Real[C]. 8th Workshop on Hot Topics in Operating Systems (HotOS'01), Bavarian Alps, Germany. 2001: 133-138.
[6] Carpenter M, Liston T, Skoudis E. Hiding Virtualization from Attackers and Malware[J]. IEEE Security & Privacy Magazine. 2007, 5(3): 62-65.
[7] Bishop M. Computer Security: Art and Science[M]. Addison Wesley, 2002.
[8] Goldberg R P. Architecture of Virtual Machines[C]. Proceedings of the Workshop on Virtual Computer Systems, Cambridge, Massachusetts, USA. 1973: 74-112.
[9] Bellard F. QEMU, a Fast and Portable Dynamic Translator[C]. Proceedings of the USENIX Annual Technical Conference (USENIX'05), Marriott Anaheim, Anaheim, CA. 2005: 41-46.
[10] Wang Y M, Beck D, Vo B, et al. Detecting Stealth Software with Strider GhostBuster[C]. Proceedings of 35th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'05), Yokohama, Japan. 2005: 368–377.
[11] Sun W, Liang Z, Sekar R, et al. One-way Isolation: An Effective Approach for Realizing Safe Execution Environments[C]. Proceedings of Network and Distributed Systems Security Symposium (NDSS'05), San Diego, California, USA. 2005: 1-18.
[12] Goldberg I, Wagner D, Thomas R, et al. A Secure Environment for Untrusted Helper Applications: Confining the Wily Hacker[C]. Proceedings of the 6th USENIX Security Symposium, San Jose, California, USA. 1996: 1–13.
[13] Garfinkel T. Traps and Pitfalls: Practical Problems in in System Call Interposition based Security Tools[C]. Proceedings of the ISOC Symposium on Network and Distributed System Security (NDSS'03), San Diego, California, USA. 2003: 163-176.
[14] Provos N. Improving Host Security with System Call Policies[C]. Proceedings of the 12th USENIX Security Symposium, Washington, D.C., USA. 2003: 257-271.
[15] Dan A, Mohindra A, Ramaswami R, et al. ChakraVyuha(CV) : A Sandbox Operating System Environment for Controlled Execution of Alien Code[J]. Technical Report 20742, IBM T.J. Watson Research Center. 1997.
[16] Suresh N C, Pau-chen C. BlueBox: A Policy-driven, Host-Based Intrusion Detection System[J]. ACM Transactions on Information and System Security (TISSEC). 2003, 6(2): 173-200.
[17] Dawidek P J. Cerb: System Firewall Mechanism[Z]. http://cerber.sourceforge.net/.Access at Feb 22, 2008.
[18] Acharya A, Raje M. Mapbox: Using Parameterized Behavior Classes to Confine Applications[C]. Proceedings of the 9th USENIX Security Symposium, Denver, Colorado, USA. 2000: 1-18.
[19] Peterson D S, Bishop M, Pandey R. A Flexible Containment Mechanism for Executing Untrusted Code[C]. Proceedings of the 11th USENIX Security Symposium, San Francisco, CA. 2002: 207-225.
[20] Prevelakis V, Spinellis D. Sandboxing Applications[C]. Proceedings of USENIX Annual Technical Conference, Washington, D.C., USA. 2001: 119-126.
[21] Scott K, Davidson J. Safe Virtual Execution using Software Dynamic Translation[C]. Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC'02), Las Vegas, Nevada, USA. 2002: 209-218.
[22] Chiueh T, Sankaran H, Neogi A. Spout: A Transparent Distributed Execution Engine for Java Applets[C]. Proceedings of the 20th International Conference on Distributed Computing Systems (ICDCS'00), Taipei, Taiwan, ROC. 2000: 394-401.
[23] Malkhi D, Reiter M K. Secure Execution of Java Applets using A Remote Playground[J]. IEEE Transactions on Software Engineering. 2000, 26(12): 1197-1209.
[24] Liu P, Jajodia S, Mccollum C D. Intrusion confinement by isolation in information systems[J]. Journal of Computer Security. 2000, 8(4): 243-279.
[25] Liang Z, Venkatakrishnan V N, Sekar R. Isolated Program Execution: An Application Transparent Approach for Executing Untrusted Programs[C]. Proceedings of Annual Computer Security Applications Conference (ACSAC'03), Las Vegas, NV, USA. 2003: 182-191.
[26] Calder B, Chien A A, Wang J, et al. The Entropia Virtual Machine for Desktop Grids[C]. Proceedings of the 1st ACM/USENIX International Conference on Virtual Execution Environments, Chicago, Illinois, USA. 2005: 186-196.
[27] Whitaker A, Shaw M, Gribble S D. Denali: A Scalable Isolation Kernel[C]. Proceedings of the 10th ACM SIGOPS European Workshop, Saint-Emilion, France. 2002: 10-15.
[28] Whitaker A, Shaw M, Gribble S D. Denali: Lightweight Virtual Machines for Distributed and Networked Applications[R]. University of Washington Technical Report 02-02-012002.
[29] Whitaker A, Shaw M, Gribble S D. Scale and Performance in the Denali Isolation Kernel[C]. Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI'02), Boston, Massachusetts, USA. 2002: 195-209.
[30] Whitaker A, Cox R S, Shaw M, et al. Constructing Services with Interposable Virtual Hardware[C]. Proceedings of the 1th Symposium on Network System Design and Implementation (NSDI'04), San Francisco, California, USA. 2004: 13-26.
[31] Sugerman J, Venkitachalam G, Lim B H. Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor[C]. Proceedings of the 2001 USENIX Annual Technical Conference, Boston, Massachusetts, USA. 2001: 1-14.
[32] Waldspurger C A. Memory Resource Management in VMware ESX Server[C]. Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI '02), Boston, Massachusetts, USA. 2002: 181-194.
[33] Schaefer M, Gold B, Linde R, et al. Program Confinement in KVM/370[C]. Proceedings of the 1977 ACM Annual Conference, Seattel, Washington, USA. 1977: 404–410.
[34] Gold B D, Linde R R, Schaefer M, et al. VM/370 Security Retrofit Rrogram[C]. Proceedings of the 1977 ACM Annual Conference, Seattel, Washington, USA. 1977: 411-418.
[35] Seawright L H, Mackinnon R A. VM/370 - a Study of Multiplicity and Usefulness[J]. IBM Systems Journal. 1979.
[36] Creasy R J. the Origin of theVM/370 Time-sharing System[J]. IBM Journal of Research and Development. 1981.
[37] Barham P, Dragovic B, Fraser K, et al. Xen and the Art of Virtualization[C]. Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP'03), New York, USA. 2003: 164-177.
[38] Ian P, Keir F, Steve H, et al. Xen 3.0 and the Art of Virtualization[C]. Proceedings of the Ottawa Linux Symposium, Ottawa, Canada. 2005: 65-78.
[39] Clark B, Deshane T, Dow E, et al. Xen and the Art of Repeated Research[C]. Proceedings of the USENIX Annual Technical Conference, Boston, Massachusetts, USA. 2004: 47-56.
[40] Swsoft. Parallel Workstation[Z]. http://www.parallels.com/en/products/ workstation. Access at May 12, 2008.
[41] Robin J S, Irvine C E. Analysis of the Intel Pentium's Ability to Support a Secure Virtual Machine Monitor[C]. Proceedings of the 9th USENIX Security Symposium, Denver, Colorado, USA. 2000: 129–144.
[42] Microsoft. Microsoft Virtual PC 2007[Z]. http://www.microsoft.com/windows/ products/winfamily/virtualpc/default.mspx. Access at June 18, 2007.
[43] Uhlig R, Neiger G, Rodgers D, et al. Intel Virtualization Technology[J]. IEEE Computer. 2005, 38(5): 48-56.
[44] Abramson D, Jackson J, Muthrasanallur S, et al. Intel Virtualization Technology for Directed I/O[J]. Intel Technology Journal. 2006, 10(3): 179–192.
[45] Neiger G, Santoni A, Leung F, et al. Intel Virtualization Technology: Hardware Support for Efficient Processor Virtualization[J]. Intel Technology Journal. 2006, 10(3): 167–177.
[46] Amd. AMD64 Vrtualization Codenamed "pacifica" Technology: Secure Virtual Machine Architecture Reference Manual[R]. 2005.
[47] Yaozu D, Shaofan L, Asit M, et al. Extending Xen with Intel Virtualization Technology[J]. Intel Technology Journal. 2006, 10(3): 193-203.
[48] Gupta D, Gardner R, Cherkasova L. XenMon: QoS Monitoring and Performance Profiling Tool[R]. Tech Report: HPL-2005-1872005.
[49] Haifeng X, Sihan Q, Huanguo Z. XEN Virtual Machine Technology and Its Security Analysis[J]. Wuhan University Journal of Natural Sciences. 2007, 12.
[50] Anwar Z, Campbell R H. Secure Reincarnation of Compromised Servers using Xen Based Time-Forking Virtual Machines[C]. 5th IEEE International Conference on Pervasive Computing and Communications Workshops (PerComW'07), New York, USA. 2007: 477-482.
[51] Fraser K, Hand S, Neugebauer R, et al. Safe Hardware Access with the Xen Virtual Machine Monitor[C]. Proceedings of the 1st Workshop on Operating System and Architectural Support for the on demand IT InfraStructure (OASIS), Boston, Masschusetts, USA. 2004: 1-10.
[52] Quynh N A, Takefuji Y. A Novel Approach for a File-system Integrity Monitor Tool of Xen Virtual Machine[C]. Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, Singapore. 2007: 194-202.
[53] Gardner L C. Measuring CPU Overhead for I/O Processing in the Xen Virtual Machine Monitor[C]. USENIX 2005 Annual Technical Conference, Anaheim, California, USA. 2005: 387-390.
[54] Chen H, Chen R, Zhang F, et al. Live Updating Operating Systems Using Virtualization[C]. Proceedings of the 2st ACM/USENIX International Conference on Virtual Execution Environments, Ottawa, Canada. 2006: 35-44.
[55] Kourai K, Chiba S. HyperSpector: Virtual Distributed Monitoring Environments for Secure Intrusion Detection[C]. Proceedings of the 1st ACM/USENIX International Conference on Virtual Execution Environments (VEE'05), Chicago, Illinois, USA. 2005: 197-207.
[56] Youseff L, Wolski R, Gorda B, et al. Evaluating the Performance Impact of Xen on MPI and Process Execution for HPC Systems[C]. the First International Workshop on Virtualization Technology in Distributed Computing (VTDC), held in conjunction with Supercomputing (SC06), Tampa, Florida, USA. 2006: 1-8.
[57] Gupta D, Cherkasova L, Gardner R, et al. Enforcing Performance Isolation Across Virtual Machines in Xen[C]. Proceeding of the ACM/IFIP/USENIX 7th International Middleware Conference (Middleware'06), Melbourne, Australia. 2006: 342-362.
[58] Menon A, Santos J R, Turner Y, et al. Diagnosing Performance Overheads In the Xen Virtual Machine Environment[C]. Proceedings of the 1st ACM/USENIX International Conference on Virtual Execution Environments, Chicago, Illinois, USA. 2005: 13-23.
[59] Sailer R, Jaeger T, Valdez E, et al. Building a MAC-Based Security Architecture for the Xen Open-Source Hypervisor[C]. Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC'05), Anaheim, California, USA. 2005: 276-285.
[60] Joshua L, Volkmar U, Ben L, et al. Pre-virtualization: Uniting Two Worlds[C]. Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP'05), Brighton, UK. 2005: 1-2.
[61] Lawton K. The Bochs IA-32 Emulator Project[Z]. http://bochs.sourceforge.net. Access at Feb 12, 2005.
[62] Kamp P H, Watson R N. Jails: Confining the omnipotent root[C]. 2nd International System Administration and Network Engineering Conference (SANE'00), Maastricht, The Netherlands. 2000: 1-15.
[63] Evan S. Securing freeBSD using jail[J]. Sys Admin. 2001, 10(5): 31-37.
[64] Price D, Tucker A. Solaris Zones: Operating System Support for Consolidating Commercial Workloads[C]. USENIX 18th Large Installation System Administration Conference (LISA'04), Atlanta, GA, USA. 2004: 241-254.
[65] Tucker A, Comay D. Solaris Zones: Operating System Support for Server Consolidation[C]. USENIX 3rd Virtual Machine Research and Technology Symposium (VM'04), San Jose, California, USA. 2004: 1-2.
[66] Linux-VServer[Z]. http://linux-vserver.org. Access at Oct 9, 2007.
[67] Dike J. A User-mode Port of the Linux Kernel[C]. Proceedings of the 4th Annual Linux Showcase & Conference, Atlanta, Georgia, USA. 2000: 7-16.
[68] Hoxer H J, Buchacker K, Sieh V. Implementing a User-Mode Linux withMinimal Changes from Original Kernel[C]. Proceedings of the 2002 International Linux System Technology Conference, Cologne, Germany. 2002: 72-82.
[69] Jeff D. User Mode Linux[M]. Prentice Hall, 2006.
[70] WINE Project[Z]. http://www.winehq.org/. Access at Feb 15, 2006.
[71] Karger P A, Zurko M E, Bonin D W, et al. A Retrospective on the VAX VMM Security Kernel[J]. IEEE Transactions on Software Engineering. 1991, 17(11): 1147-1165.
[72] Dunlap G W, King S T, Cinar S, et al. ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay[C]. Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI'02), Boston, Massachusetts, USA. 2002: 211-224.
[73] Garfinkel T, Rosenblum M. A Virtual Machine Introspection Based Architecture for Intrusion Detection[C]. Proceedings of Network and Distributed System Security Symposium (NDSS'03), San Diego, California, USA. 2003: 1-16.
[74] Laureano M, Maziero C, Jamhour E. Intrusion Detection in Virtual Machine Environments[C]. Proceedings of the 30th EUROMICRO Conference (EUROMICRO'04), 2004: 520-525.
[75] Laureano M, Maziero C, Jamhour E. Protecting Host-based Intrusion Detectors through Virtual Machines[J]. The International Journal of Computer and Telecommunications Networking. 2007, 51(5): 1275-1283.
[76] Joshi A, King S T, Dunlap G W, et al. Detecting Past and Present Intrusions through Vulnerability-Specific Predicates[C]. Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP'05), Brighton, UK. 2005: 91-104.
[77] King S T, Chen P M. Backtracking Intrusions[J]. ACM Transactions on Computer Systems (TOCS). 2005, 23(1): 51-76.
[78] King S T, Chen P M. Backtracking Intrusions[C]. Proceedings of the 2003 Symposium on Operating Systems Principles (SOSP'03), New York, USA. 2003: 223-236.
[79] Oliveira D A, Crandall J R, Wassermann G, et al. ExecRecorder: VM-Based Full-System Replay for Attack Analysis and System Recovery[C]. Workshop on Architectural and System Support for Improving Software Dependability (ASID'06, with ASPLOS 2006), 2006: 66-71.
[80] Andreas M, Christopher K, Engin K. Exploring Multiple Execution Paths for Malware Analysis[C]. 2007 IEEE Symposium on Security and Privacy (S&P'07), 2007: 231-245.
[81] Crandall J R, Wassermann G, Oliveira D A, et al. Temporal Search: Detecting Hidden Malware Timebombs with Virtual Machines[C]. Proceeedings of 12th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS'06), San Jose, California, USA. 2006: 25-36.
[82] Sidiroglou S, Ioannidis J, Keromytis A D, et al. An Email Worm Vaccine Architecture[C]. Proceedings of the 1th Information Security Practice and Experience Conference (ISPEC'05), Singapore. 2005: 97-108.
[83] Wang Y M, Beck D, Jiang X, et al. Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities[C]. Proceedings of Network and Distributed Systems Security Symposium (NDSS'06), San Diego, California, USA. 2006: 1-15.
[84] Seshadri A, Luk M, Qu N, et al. SecVisor: A Tiny Hypervisor to Provide LifetimeKernel Code Integrity for Commodity OSes[C]. Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP'07), Stevenson, Washington, USA. 2007: 335-350.
[85] Jiang X, Wang X, Xu D. Stealthy Malware Detection Through VMM-Based "Out-of-the-Box" Semantic View Reconstruction[C]. Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07), Alexandria, VA, USA. 2007: 128-138.
[86] Zhang Y, Gu Y, Wang H, et al. Virtual-Machine-based Intrusion Detection on File-aware Block Level Storage[C]. Proceedings of the 18th International Symposium on Computer Architecture and High Performance Computing (SBAC-PAD'06), Ouro Preto, Minas Gerais, Brazil. 185-192.
[87] Provos N. A Virtual Honeypot Framework[C]. Proceedings of the 13th USENIX Security Symposium, San Diego, California, USA. 2004: 1-14.
[88] Jiang X, Xu D. Collapsar: A VM-Based Architecture for Network Attack Detention Center[C]. Proceedings of the 13th USENIX Security Symposium, San Diego, California, USA. 2004: 15-28.
[89] Vrable M, Ma J, Chen J, et al. Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm[C]. Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP'05), Brighton, UK. 2005: 148-162.
[90] Dagon D, Qin X, Gu G, et al. HoneyStat: LocalWorm Detection Using Honeypots[C]. Proceedings of 7th International Symposium on Recent Advances in Intrusion Detection (RAID'04), Sophia Antipolis, French Riviera, France. 2004: 39–58.
[91] Asrigo K, Litty L, Lie D. Using VMM-Based Sensors to Monitor Honeypots[C]. Proceedings of the 2st ACM/USENIX International Conference on Virtual Execution Environments (VEE'06), Ottawa, Canada. 2006: 13-23.
[92] Jiang X, Xinyuanwang. "Out-of-the-Box" Monitoring of VM-Based High-Interaction Honeypots[C]. Proceedings of 10th International Symposium on Recent Advances in Intrusion Detection (RAID'07), Gold Goast, Queensland, Australia. 2007: 198-218.
[93] Garfinkel T, Pfaff B, Chow J, et al. Terra: A Virtual Machine-Based Platform for Trusted Computing[C]. Proceedings of The 19th ACM Symposium on Operating Systems Principles (SOSP'03), New York, USA. 2003: 193-206.
[94] Karger P A. Multi-Level Security Requirements for Hypervisors[C]. Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC'05), Tucson, Arizona, USA. 2005: 267-275.
[95] Jaeger T, Sailer R, Sreenivasan Y. Managing the Risk of Covert Information Flows in Virtual Machine Systems[C]. Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (SACMAT'07), Sophia Antipolis, France. 2007: 81-90.
[96] Cabuk S, Dalton C I, Ramasamy H G, et al. Towards Automated Provisioning of Secure Virtualized Networks[C]. Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07), Alexandria, VA, USA. 2007: 235-245.
[97] Stefan B, Ramon C, Kenneth A G, et al. vTPM: Virtualizing the Trusted Platform Module[C]. Proceedings of 15th USENIX Security Symposium, Vancouver, B.C., Canada,. 2006: 305-320.
[98] Melvin J A, Micha M, Chris I D. Towards Trustworthy VirtualizationEnvironments: Xen Library OS Security Service Infrastructure, HP Technical Report[R]. http://www.hpl.hp.com/techreports/2007/HPL-2007-69.html2007.
[99] Ford B, Hibler M, Lepreau J, et al. Microkernels Meet Recursive Virtual Machines[C]. Proceeding of the 2th Symposium on Operating Systems Design and Implementation (OSDI'96), Seattle, Washington, USA. 1996: 137-151.
[100] Tal G, Mendel R, Dan B. Flexible OS Support and Applications for Trusted Computing[C]. 11th Workshop on Hot Topics in Operating Systems (HotOS'03), Lihue (Kauai), Hawaii, USA. 2003: 145-170.
[101] Bressoud T C, Schneider F B. Hypervisor-based Fault-tolerance[C]. Proceedings of the 15th ACM Symposium on Operating Systems Principles (SOSP '95), Copper Mountain Resort, Colorado, USA. 1995: 1–11.
[102] Bugnion E, Devine S, Govil K, et al. Disco: Running Commodity Operating Systems on Scalable Multiprocessors[J]. ACM Transactions on Computer Systems (TOCS). 1997, 15(4): 412-447.
[103] Govil K, Teodosiu D, Rosenblum Y H. Cellular Disco: Resource Management using Virtual Clusters on Shared-memory Multiprocessors[C]. Proceedings of the 17th ACM Symposium on Operating Systems Principles (SOSP'99), Kiawah Island Resort, SC, USA. 1999: 154-169.
[104] Figueiredo R J, Dinda P A, Fortes J A. A Case for Grid Computing on Virtual Machines[C]. Proceedings of the 23th International Conference on Distributed Computing Systems (ICDCS'03), Providence, Rhode Island USA. 2003: 550-559.
[105] Santhanam S, Elango P, Arpaci-dusseau A, et al. Deploying Virtual Machines as Sandboxes for the Grid[C]. Second Workshop on Real, Large Distributed Systems, San Francisco, CA. 2005: 7-12.
[106] Krsul I, Ganguly A, Zhang J, et al. VMPlants: Providing and Managing Virtual Machine Execution Environments for Grid Computing[C]. ACM/IEEE Supercomputing 2004 Conference (SC'04), Washington, DC, USA. 2004: 7.
[107] Zhao X, Borders K, Prakash A. SVGrid: A Secure Virtual Environment for Untrusted Grid Applications[C]. ACM/IFIP/USENIX 6th International Middleware Conference, Grenoble, France. 2005: 1-6.
[108] Qumranet. KVM: Kernel-based Virtualization Driver[Z]. http://www.qumranet. com/wp/kvm_wp.pdf. Access at Oct 16, 2007.
[109] Tan L, Chan E M, Farivar R, et al. iKernel: Isolating Buggy and Malicious Device Drivers Using Hardware Virtualization Support[C]. Proceedings of the 3th IEEE International Symposium on Dependable, Autonomic and Secure Computing (DASC'07), Columbia, MD, USA. 2007: 134-144.
[110] Kwan P C, Durfee G. Practical Uses of Virtual Machines for Protection of Sensitive User Data[C]. Proceedings of The 3rd Information Security Practice and Experience Conference (ISPEC'07), Hong Kong, China. 2007: 1-17.
[111] Lagar-cavilla H A, Tolia N, Satyanarayanan M, et al. VMM-Independent Graphics Acceleration[C]. Proceedings of the Third International ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments (VEE '07), San Diego, California, USA. 2007: 33-43.
[112] Popek G J, Goldberg R P. Formal Requirements for Virtualizable Third Generation Architectures[J]. Communications of the ACM. 1974, 17(7): 412-421.
[113] Microsoft. What is the Windows Integrity Mechanism?[Z]. http://msdn.microsoft .com/en-us/library/bb625957.aspx. Access at Feb 20, 2008.
[114] Safford D, Zohar M. Trusted Computing and Open Source[J]. InformationSecurity Technical Report. 2005, 10(2): 74-82.
[115] Bolshakov K, Reshetova E. FreeBSD Mandatory Access Control Usage for Implementing Enterprise Security Policies[Z]. http://arxiv.org/abs/0706.1755v1. Access at Mar 2, 2008.
[116] Mark G. G, Kenneth R. Van W. Secure Coding: Principles & Practices[M]. O'Reilly, 2003.
[117] Jonsson E, Olovsson T. A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior[J]. IEEE Transactions on Software Engineering. 1997, 23(4): 235-245.
[118] Russinovich M E, Solomon D A. Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server 2003, Windows XP, and Windows 2000[M]. Microsoft Press, 2004.
[119]温研.基于通用有限状态机的网络行为监控系统的研究与实现,硕士论文[D].长沙:国防科学技术大学, 2004.
[120] Richard J, Rafael D L. Garbage Collection: Algorithms for Automatic Dynamic Memory Management[M]. 1997, 1997.
[121] Vmware. Experimental Support for Direct3D[Z]. http://www.vmware.com/ support/ws55/doc/ws_vidsound_d3d_audience.html. Access at Nov 16, 2007.
[122] Sivathanu M, Bairavasundaram L N, Arpaci-dusseau A C, et al. Life or Death at Block Level[C]. Proceedings of the 6th Symposium on Operating Systems Design and Implementation(OSDI'04), San Francisco, California, USA. 2004: 379–394.
[123] Wireshark[Z]. http://www.wireshark.org/. Access at Oct 18, 2007.
[124] Tamosoft. CommView[Z]. http://www.tamos.com/products/commview/. Access at Sep 16, 2007.
[125] Microsoft. Windows Malicious Software Removal Tool[Z]. http://www.microsoft .com/security/malwareremove/. Access at Oct 18, 2007.
[126] Aphex: AFX Windows Rootkit 2003[Z]. http://www.iamaphex.cjb.net. Access at Oct 19, 2007.
[127] Hacker Defender[Z]. http://hxdef.org/. Access at Dec 18, 2007.
[128] Fuzen. FU Rootkit[Z]. http://www.rootkit.com/project.php?id=12. Access at Sep 20, 2007.
[129] Silberman P, C H A. FUTo: Bypassing Blacklight and IceSword[Z]. https://www. rootkit.com/newsread.php?newsid=433. Access at Oct 22, 2007.
[130] Pe. phide_ex -untimate process hiding example[Z]. http://forum.sysinternals.com/ printer_friendly_posts.asp?TID=8527. Access at Nov 18, 2007.
[131] Anti Rootkit Group[Z]. http://www.antirootkit.com/blog/. Access at Nov 22, 2007.
[132] F-Secure Blacklight[Z]. http://www.f-secure.com/blacklight/. Access at Nov 2, 2007.
[133] DarkSpy[Z]. http://www.fyyre.net/~cardmagic/index_en.html. Access at Nov 3, 2007.
[134] Icesword[Z]. http://pjf.blogcn.com/index.shtml. Access at Nov 2, 2007.
[135] RootKit Unhooker[Z]. http://rku.nm.ru/. Access at Nov 6, 2007.
[136] UnHackMe[Z]. http://www.greatis.com/unhackme/. Access at Nov 6, 2007.
[137] Gmer[Z]. http://www.gmer.net/index.php. Access at Nov 5, 2007.
[138] Kernel Hidden Process/Module Checker[Z]. http://www.security.org.sg/code/ kproccheck.html. Access at Nov 2, 2007.
[139] Process Hunter[Z]. http://ms-rem.dot-link.net. Access at Nov 6, 2007.
[140] TaskInfo[Z]. http://www.iarsn.com/taskinfo.html. Access at Nov 6, 2007.
[141] AFX Rootkit 2005[Z]. http://www.rootkit.com/project.php?id=23. Access at Nov 5, 2007.
[142] port/connection hiding[Z]. http://www.rootkit.com/newsread.php?newsid=143. Access at Nov 5, 2007.
[143] Uty. kernel tcp librAry[Z]. http://www.rootkit.com/newsread.php?newsid=591. Access at Nov 12, 2007.
[144] Hunt G, Brubacher D. Detours: Binary Interception of Win32 Functions[C]. Proceedings of the 3rd USENIX Windows NT Symposium, Seattle, Washington, USA. 1999: 135-143.
[145] ProBot SE[Z]. http://sharewareconnection.com/probot-se.htm. Access at Nov 12, 2007.
[146] Clandestine File System Driver[Z]. http://www.rootkit.com/newsread.php?newsid =386. Access at Nov 12, 2007.
[147] Effective File Hiding : Bypassing Raw File System I/O Rootkit Detector[Z]. http://www.rootkit.com/newsread.php?newsid=690. Access at Nov 15, 2007.
[148] Einstein. How to avoid the detection of hidden regkey by hooking RegSaveKeyA[Z]. https://www.rootkit.com/newsread.php?newsid=27. Access at Nov 12, 2007.
[149] weasel I M. How to avoid the detection of hidden regkey by hooking NtSaveKey![Z]. http://www.rootkit.com/newsread.php?newsid=420. Access at Nov 10, 2007.
[150] Linux NTFS file system support[Z]. http://www.linux-ntfs.org/doku.php. Access at Nov 20, 2007.
[151] Chen X, Andersen J, Mao Z M, et al. Towards an Understanding of Anti-virtualization and Anti-debugging Behavior in Modern Malware[C]. Proceedings of 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'08), Anchorage, Alaska, USA. 2008: 1-10.
[152] Liston T, Skoudis E. On the Cutting Edge: Thwarting Virtual Machine Detection[Z]. http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_ Skoudis.pdf. Access at Feb 12, 2007.
[153] Garfinkel T, Adams K, Warfield A, et al. Compatibility is Not Transparency: VMM Detection Myths and Realities[C]. 11th Workshop on Hot Topics in Operating Systems (HotOS'07), San Diego, California, USA. 2007: 1-6.
[154] Ferrie P. Tumours and Polips[Z]. http://pferrie.tripod.com/vb/polip.pdf. Access at Oct 12, 2007.
[155] Klein T. jerry - A(nother) VMware Fingerprinter[Z]. http://www.trapkit.de/ research/vmm/jerry/index.html. Access at Oct 10, 2007.
[156] Vmware. Open Virtual Machine Tools[Z]. http://open-vm-tools.sourceforge.net/. Access at Feb 12, 2008.
[157] Ferrie P. Attacks on Virtual Machine Emulators[C]. AVAR Conference, 2006: .
[158] Distributed Management Task Force, Inc. System Management BIOS Reference Specification, v2.6 Preliminary[Z]. http://www.dmtf.org/standards/ published_documents/DSP0134.pdf. Access at May 12, 2008.
[159] Dell. Libsmbios[Z]. http://linux.dell.com/libsmbios/main/index.html. Access at May 2, 2008.
[160] Klein T. scoopy_doo VM detection tool[Z]. http://www.trapkit.de/research/vmm /scoopydoo/scoopy_doo.htm. Access at Feb 20, 2008.
[161] Rutkowska J. Red Pill... or how to detect VMM using (almost) one CPU instruction[Z]. http://www.invisiblethings.org/papers/redpill.html. Access at May 20, 2008.
[162] Adams K, Agesen O. A Comparison of Software and Hardware Techniques for x86 Virtualization[C]. Proceedings of The 12th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS'06), Seattle, WA, USA. 2006: 2-13.
[163] HWiNFO32[Z]. http://www.hwinfo.com/. Access at May 12, 2008.
[2] Chess D M, White S R. An Undetectable Computer Virus[C]. Virus Bulletin Conference, Orlando, Florida, USA. 2000: 1-8.
[3] Reiner S, van Leendert D, James W. The Role of TPM in Enterprise Security[R]. IBM Research Division, Technical Report RC23363: 2004.
[4] European Multilaterally Secure Computing Base: Towards Trustworthy Systems with Open Standards and Trusted Computing[Z]. http://www.emscb.com/content/ pages/49373.htm. Access at Feb 3, 2008.
[5] Chen P M, Noble B D. When Virtual is Better than Real[C]. 8th Workshop on Hot Topics in Operating Systems (HotOS'01), Bavarian Alps, Germany. 2001: 133-138.
[6] Carpenter M, Liston T, Skoudis E. Hiding Virtualization from Attackers and Malware[J]. IEEE Security & Privacy Magazine. 2007, 5(3): 62-65.
[7] Bishop M. Computer Security: Art and Science[M]. Addison Wesley, 2002.
[8] Goldberg R P. Architecture of Virtual Machines[C]. Proceedings of the Workshop on Virtual Computer Systems, Cambridge, Massachusetts, USA. 1973: 74-112.
[9] Bellard F. QEMU, a Fast and Portable Dynamic Translator[C]. Proceedings of the USENIX Annual Technical Conference (USENIX'05), Marriott Anaheim, Anaheim, CA. 2005: 41-46.
[10] Wang Y M, Beck D, Vo B, et al. Detecting Stealth Software with Strider GhostBuster[C]. Proceedings of 35th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'05), Yokohama, Japan. 2005: 368–377.
[11] Sun W, Liang Z, Sekar R, et al. One-way Isolation: An Effective Approach for Realizing Safe Execution Environments[C]. Proceedings of Network and Distributed Systems Security Symposium (NDSS'05), San Diego, California, USA. 2005: 1-18.
[12] Goldberg I, Wagner D, Thomas R, et al. A Secure Environment for Untrusted Helper Applications: Confining the Wily Hacker[C]. Proceedings of the 6th USENIX Security Symposium, San Jose, California, USA. 1996: 1–13.
[13] Garfinkel T. Traps and Pitfalls: Practical Problems in in System Call Interposition based Security Tools[C]. Proceedings of the ISOC Symposium on Network and Distributed System Security (NDSS'03), San Diego, California, USA. 2003: 163-176.
[14] Provos N. Improving Host Security with System Call Policies[C]. Proceedings of the 12th USENIX Security Symposium, Washington, D.C., USA. 2003: 257-271.
[15] Dan A, Mohindra A, Ramaswami R, et al. ChakraVyuha(CV) : A Sandbox Operating System Environment for Controlled Execution of Alien Code[J]. Technical Report 20742, IBM T.J. Watson Research Center. 1997.
[16] Suresh N C, Pau-chen C. BlueBox: A Policy-driven, Host-Based Intrusion Detection System[J]. ACM Transactions on Information and System Security (TISSEC). 2003, 6(2): 173-200.
[17] Dawidek P J. Cerb: System Firewall Mechanism[Z]. http://cerber.sourceforge.net/.Access at Feb 22, 2008.
[18] Acharya A, Raje M. Mapbox: Using Parameterized Behavior Classes to Confine Applications[C]. Proceedings of the 9th USENIX Security Symposium, Denver, Colorado, USA. 2000: 1-18.
[19] Peterson D S, Bishop M, Pandey R. A Flexible Containment Mechanism for Executing Untrusted Code[C]. Proceedings of the 11th USENIX Security Symposium, San Francisco, CA. 2002: 207-225.
[20] Prevelakis V, Spinellis D. Sandboxing Applications[C]. Proceedings of USENIX Annual Technical Conference, Washington, D.C., USA. 2001: 119-126.
[21] Scott K, Davidson J. Safe Virtual Execution using Software Dynamic Translation[C]. Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC'02), Las Vegas, Nevada, USA. 2002: 209-218.
[22] Chiueh T, Sankaran H, Neogi A. Spout: A Transparent Distributed Execution Engine for Java Applets[C]. Proceedings of the 20th International Conference on Distributed Computing Systems (ICDCS'00), Taipei, Taiwan, ROC. 2000: 394-401.
[23] Malkhi D, Reiter M K. Secure Execution of Java Applets using A Remote Playground[J]. IEEE Transactions on Software Engineering. 2000, 26(12): 1197-1209.
[24] Liu P, Jajodia S, Mccollum C D. Intrusion confinement by isolation in information systems[J]. Journal of Computer Security. 2000, 8(4): 243-279.
[25] Liang Z, Venkatakrishnan V N, Sekar R. Isolated Program Execution: An Application Transparent Approach for Executing Untrusted Programs[C]. Proceedings of Annual Computer Security Applications Conference (ACSAC'03), Las Vegas, NV, USA. 2003: 182-191.
[26] Calder B, Chien A A, Wang J, et al. The Entropia Virtual Machine for Desktop Grids[C]. Proceedings of the 1st ACM/USENIX International Conference on Virtual Execution Environments, Chicago, Illinois, USA. 2005: 186-196.
[27] Whitaker A, Shaw M, Gribble S D. Denali: A Scalable Isolation Kernel[C]. Proceedings of the 10th ACM SIGOPS European Workshop, Saint-Emilion, France. 2002: 10-15.
[28] Whitaker A, Shaw M, Gribble S D. Denali: Lightweight Virtual Machines for Distributed and Networked Applications[R]. University of Washington Technical Report 02-02-012002.
[29] Whitaker A, Shaw M, Gribble S D. Scale and Performance in the Denali Isolation Kernel[C]. Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI'02), Boston, Massachusetts, USA. 2002: 195-209.
[30] Whitaker A, Cox R S, Shaw M, et al. Constructing Services with Interposable Virtual Hardware[C]. Proceedings of the 1th Symposium on Network System Design and Implementation (NSDI'04), San Francisco, California, USA. 2004: 13-26.
[31] Sugerman J, Venkitachalam G, Lim B H. Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor[C]. Proceedings of the 2001 USENIX Annual Technical Conference, Boston, Massachusetts, USA. 2001: 1-14.
[32] Waldspurger C A. Memory Resource Management in VMware ESX Server[C]. Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI '02), Boston, Massachusetts, USA. 2002: 181-194.
[33] Schaefer M, Gold B, Linde R, et al. Program Confinement in KVM/370[C]. Proceedings of the 1977 ACM Annual Conference, Seattel, Washington, USA. 1977: 404–410.
[34] Gold B D, Linde R R, Schaefer M, et al. VM/370 Security Retrofit Rrogram[C]. Proceedings of the 1977 ACM Annual Conference, Seattel, Washington, USA. 1977: 411-418.
[35] Seawright L H, Mackinnon R A. VM/370 - a Study of Multiplicity and Usefulness[J]. IBM Systems Journal. 1979.
[36] Creasy R J. the Origin of theVM/370 Time-sharing System[J]. IBM Journal of Research and Development. 1981.
[37] Barham P, Dragovic B, Fraser K, et al. Xen and the Art of Virtualization[C]. Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP'03), New York, USA. 2003: 164-177.
[38] Ian P, Keir F, Steve H, et al. Xen 3.0 and the Art of Virtualization[C]. Proceedings of the Ottawa Linux Symposium, Ottawa, Canada. 2005: 65-78.
[39] Clark B, Deshane T, Dow E, et al. Xen and the Art of Repeated Research[C]. Proceedings of the USENIX Annual Technical Conference, Boston, Massachusetts, USA. 2004: 47-56.
[40] Swsoft. Parallel Workstation[Z]. http://www.parallels.com/en/products/ workstation. Access at May 12, 2008.
[41] Robin J S, Irvine C E. Analysis of the Intel Pentium's Ability to Support a Secure Virtual Machine Monitor[C]. Proceedings of the 9th USENIX Security Symposium, Denver, Colorado, USA. 2000: 129–144.
[42] Microsoft. Microsoft Virtual PC 2007[Z]. http://www.microsoft.com/windows/ products/winfamily/virtualpc/default.mspx. Access at June 18, 2007.
[43] Uhlig R, Neiger G, Rodgers D, et al. Intel Virtualization Technology[J]. IEEE Computer. 2005, 38(5): 48-56.
[44] Abramson D, Jackson J, Muthrasanallur S, et al. Intel Virtualization Technology for Directed I/O[J]. Intel Technology Journal. 2006, 10(3): 179–192.
[45] Neiger G, Santoni A, Leung F, et al. Intel Virtualization Technology: Hardware Support for Efficient Processor Virtualization[J]. Intel Technology Journal. 2006, 10(3): 167–177.
[46] Amd. AMD64 Vrtualization Codenamed "pacifica" Technology: Secure Virtual Machine Architecture Reference Manual[R]. 2005.
[47] Yaozu D, Shaofan L, Asit M, et al. Extending Xen with Intel Virtualization Technology[J]. Intel Technology Journal. 2006, 10(3): 193-203.
[48] Gupta D, Gardner R, Cherkasova L. XenMon: QoS Monitoring and Performance Profiling Tool[R]. Tech Report: HPL-2005-1872005.
[49] Haifeng X, Sihan Q, Huanguo Z. XEN Virtual Machine Technology and Its Security Analysis[J]. Wuhan University Journal of Natural Sciences. 2007, 12.
[50] Anwar Z, Campbell R H. Secure Reincarnation of Compromised Servers using Xen Based Time-Forking Virtual Machines[C]. 5th IEEE International Conference on Pervasive Computing and Communications Workshops (PerComW'07), New York, USA. 2007: 477-482.
[51] Fraser K, Hand S, Neugebauer R, et al. Safe Hardware Access with the Xen Virtual Machine Monitor[C]. Proceedings of the 1st Workshop on Operating System and Architectural Support for the on demand IT InfraStructure (OASIS), Boston, Masschusetts, USA. 2004: 1-10.
[52] Quynh N A, Takefuji Y. A Novel Approach for a File-system Integrity Monitor Tool of Xen Virtual Machine[C]. Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, Singapore. 2007: 194-202.
[53] Gardner L C. Measuring CPU Overhead for I/O Processing in the Xen Virtual Machine Monitor[C]. USENIX 2005 Annual Technical Conference, Anaheim, California, USA. 2005: 387-390.
[54] Chen H, Chen R, Zhang F, et al. Live Updating Operating Systems Using Virtualization[C]. Proceedings of the 2st ACM/USENIX International Conference on Virtual Execution Environments, Ottawa, Canada. 2006: 35-44.
[55] Kourai K, Chiba S. HyperSpector: Virtual Distributed Monitoring Environments for Secure Intrusion Detection[C]. Proceedings of the 1st ACM/USENIX International Conference on Virtual Execution Environments (VEE'05), Chicago, Illinois, USA. 2005: 197-207.
[56] Youseff L, Wolski R, Gorda B, et al. Evaluating the Performance Impact of Xen on MPI and Process Execution for HPC Systems[C]. the First International Workshop on Virtualization Technology in Distributed Computing (VTDC), held in conjunction with Supercomputing (SC06), Tampa, Florida, USA. 2006: 1-8.
[57] Gupta D, Cherkasova L, Gardner R, et al. Enforcing Performance Isolation Across Virtual Machines in Xen[C]. Proceeding of the ACM/IFIP/USENIX 7th International Middleware Conference (Middleware'06), Melbourne, Australia. 2006: 342-362.
[58] Menon A, Santos J R, Turner Y, et al. Diagnosing Performance Overheads In the Xen Virtual Machine Environment[C]. Proceedings of the 1st ACM/USENIX International Conference on Virtual Execution Environments, Chicago, Illinois, USA. 2005: 13-23.
[59] Sailer R, Jaeger T, Valdez E, et al. Building a MAC-Based Security Architecture for the Xen Open-Source Hypervisor[C]. Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC'05), Anaheim, California, USA. 2005: 276-285.
[60] Joshua L, Volkmar U, Ben L, et al. Pre-virtualization: Uniting Two Worlds[C]. Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP'05), Brighton, UK. 2005: 1-2.
[61] Lawton K. The Bochs IA-32 Emulator Project[Z]. http://bochs.sourceforge.net. Access at Feb 12, 2005.
[62] Kamp P H, Watson R N. Jails: Confining the omnipotent root[C]. 2nd International System Administration and Network Engineering Conference (SANE'00), Maastricht, The Netherlands. 2000: 1-15.
[63] Evan S. Securing freeBSD using jail[J]. Sys Admin. 2001, 10(5): 31-37.
[64] Price D, Tucker A. Solaris Zones: Operating System Support for Consolidating Commercial Workloads[C]. USENIX 18th Large Installation System Administration Conference (LISA'04), Atlanta, GA, USA. 2004: 241-254.
[65] Tucker A, Comay D. Solaris Zones: Operating System Support for Server Consolidation[C]. USENIX 3rd Virtual Machine Research and Technology Symposium (VM'04), San Jose, California, USA. 2004: 1-2.
[66] Linux-VServer[Z]. http://linux-vserver.org. Access at Oct 9, 2007.
[67] Dike J. A User-mode Port of the Linux Kernel[C]. Proceedings of the 4th Annual Linux Showcase & Conference, Atlanta, Georgia, USA. 2000: 7-16.
[68] Hoxer H J, Buchacker K, Sieh V. Implementing a User-Mode Linux withMinimal Changes from Original Kernel[C]. Proceedings of the 2002 International Linux System Technology Conference, Cologne, Germany. 2002: 72-82.
[69] Jeff D. User Mode Linux[M]. Prentice Hall, 2006.
[70] WINE Project[Z]. http://www.winehq.org/. Access at Feb 15, 2006.
[71] Karger P A, Zurko M E, Bonin D W, et al. A Retrospective on the VAX VMM Security Kernel[J]. IEEE Transactions on Software Engineering. 1991, 17(11): 1147-1165.
[72] Dunlap G W, King S T, Cinar S, et al. ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay[C]. Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI'02), Boston, Massachusetts, USA. 2002: 211-224.
[73] Garfinkel T, Rosenblum M. A Virtual Machine Introspection Based Architecture for Intrusion Detection[C]. Proceedings of Network and Distributed System Security Symposium (NDSS'03), San Diego, California, USA. 2003: 1-16.
[74] Laureano M, Maziero C, Jamhour E. Intrusion Detection in Virtual Machine Environments[C]. Proceedings of the 30th EUROMICRO Conference (EUROMICRO'04), 2004: 520-525.
[75] Laureano M, Maziero C, Jamhour E. Protecting Host-based Intrusion Detectors through Virtual Machines[J]. The International Journal of Computer and Telecommunications Networking. 2007, 51(5): 1275-1283.
[76] Joshi A, King S T, Dunlap G W, et al. Detecting Past and Present Intrusions through Vulnerability-Specific Predicates[C]. Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP'05), Brighton, UK. 2005: 91-104.
[77] King S T, Chen P M. Backtracking Intrusions[J]. ACM Transactions on Computer Systems (TOCS). 2005, 23(1): 51-76.
[78] King S T, Chen P M. Backtracking Intrusions[C]. Proceedings of the 2003 Symposium on Operating Systems Principles (SOSP'03), New York, USA. 2003: 223-236.
[79] Oliveira D A, Crandall J R, Wassermann G, et al. ExecRecorder: VM-Based Full-System Replay for Attack Analysis and System Recovery[C]. Workshop on Architectural and System Support for Improving Software Dependability (ASID'06, with ASPLOS 2006), 2006: 66-71.
[80] Andreas M, Christopher K, Engin K. Exploring Multiple Execution Paths for Malware Analysis[C]. 2007 IEEE Symposium on Security and Privacy (S&P'07), 2007: 231-245.
[81] Crandall J R, Wassermann G, Oliveira D A, et al. Temporal Search: Detecting Hidden Malware Timebombs with Virtual Machines[C]. Proceeedings of 12th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS'06), San Jose, California, USA. 2006: 25-36.
[82] Sidiroglou S, Ioannidis J, Keromytis A D, et al. An Email Worm Vaccine Architecture[C]. Proceedings of the 1th Information Security Practice and Experience Conference (ISPEC'05), Singapore. 2005: 97-108.
[83] Wang Y M, Beck D, Jiang X, et al. Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities[C]. Proceedings of Network and Distributed Systems Security Symposium (NDSS'06), San Diego, California, USA. 2006: 1-15.
[84] Seshadri A, Luk M, Qu N, et al. SecVisor: A Tiny Hypervisor to Provide LifetimeKernel Code Integrity for Commodity OSes[C]. Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP'07), Stevenson, Washington, USA. 2007: 335-350.
[85] Jiang X, Wang X, Xu D. Stealthy Malware Detection Through VMM-Based "Out-of-the-Box" Semantic View Reconstruction[C]. Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07), Alexandria, VA, USA. 2007: 128-138.
[86] Zhang Y, Gu Y, Wang H, et al. Virtual-Machine-based Intrusion Detection on File-aware Block Level Storage[C]. Proceedings of the 18th International Symposium on Computer Architecture and High Performance Computing (SBAC-PAD'06), Ouro Preto, Minas Gerais, Brazil. 185-192.
[87] Provos N. A Virtual Honeypot Framework[C]. Proceedings of the 13th USENIX Security Symposium, San Diego, California, USA. 2004: 1-14.
[88] Jiang X, Xu D. Collapsar: A VM-Based Architecture for Network Attack Detention Center[C]. Proceedings of the 13th USENIX Security Symposium, San Diego, California, USA. 2004: 15-28.
[89] Vrable M, Ma J, Chen J, et al. Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm[C]. Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP'05), Brighton, UK. 2005: 148-162.
[90] Dagon D, Qin X, Gu G, et al. HoneyStat: LocalWorm Detection Using Honeypots[C]. Proceedings of 7th International Symposium on Recent Advances in Intrusion Detection (RAID'04), Sophia Antipolis, French Riviera, France. 2004: 39–58.
[91] Asrigo K, Litty L, Lie D. Using VMM-Based Sensors to Monitor Honeypots[C]. Proceedings of the 2st ACM/USENIX International Conference on Virtual Execution Environments (VEE'06), Ottawa, Canada. 2006: 13-23.
[92] Jiang X, Xinyuanwang. "Out-of-the-Box" Monitoring of VM-Based High-Interaction Honeypots[C]. Proceedings of 10th International Symposium on Recent Advances in Intrusion Detection (RAID'07), Gold Goast, Queensland, Australia. 2007: 198-218.
[93] Garfinkel T, Pfaff B, Chow J, et al. Terra: A Virtual Machine-Based Platform for Trusted Computing[C]. Proceedings of The 19th ACM Symposium on Operating Systems Principles (SOSP'03), New York, USA. 2003: 193-206.
[94] Karger P A. Multi-Level Security Requirements for Hypervisors[C]. Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC'05), Tucson, Arizona, USA. 2005: 267-275.
[95] Jaeger T, Sailer R, Sreenivasan Y. Managing the Risk of Covert Information Flows in Virtual Machine Systems[C]. Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (SACMAT'07), Sophia Antipolis, France. 2007: 81-90.
[96] Cabuk S, Dalton C I, Ramasamy H G, et al. Towards Automated Provisioning of Secure Virtualized Networks[C]. Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07), Alexandria, VA, USA. 2007: 235-245.
[97] Stefan B, Ramon C, Kenneth A G, et al. vTPM: Virtualizing the Trusted Platform Module[C]. Proceedings of 15th USENIX Security Symposium, Vancouver, B.C., Canada,. 2006: 305-320.
[98] Melvin J A, Micha M, Chris I D. Towards Trustworthy VirtualizationEnvironments: Xen Library OS Security Service Infrastructure, HP Technical Report[R]. http://www.hpl.hp.com/techreports/2007/HPL-2007-69.html2007.
[99] Ford B, Hibler M, Lepreau J, et al. Microkernels Meet Recursive Virtual Machines[C]. Proceeding of the 2th Symposium on Operating Systems Design and Implementation (OSDI'96), Seattle, Washington, USA. 1996: 137-151.
[100] Tal G, Mendel R, Dan B. Flexible OS Support and Applications for Trusted Computing[C]. 11th Workshop on Hot Topics in Operating Systems (HotOS'03), Lihue (Kauai), Hawaii, USA. 2003: 145-170.
[101] Bressoud T C, Schneider F B. Hypervisor-based Fault-tolerance[C]. Proceedings of the 15th ACM Symposium on Operating Systems Principles (SOSP '95), Copper Mountain Resort, Colorado, USA. 1995: 1–11.
[102] Bugnion E, Devine S, Govil K, et al. Disco: Running Commodity Operating Systems on Scalable Multiprocessors[J]. ACM Transactions on Computer Systems (TOCS). 1997, 15(4): 412-447.
[103] Govil K, Teodosiu D, Rosenblum Y H. Cellular Disco: Resource Management using Virtual Clusters on Shared-memory Multiprocessors[C]. Proceedings of the 17th ACM Symposium on Operating Systems Principles (SOSP'99), Kiawah Island Resort, SC, USA. 1999: 154-169.
[104] Figueiredo R J, Dinda P A, Fortes J A. A Case for Grid Computing on Virtual Machines[C]. Proceedings of the 23th International Conference on Distributed Computing Systems (ICDCS'03), Providence, Rhode Island USA. 2003: 550-559.
[105] Santhanam S, Elango P, Arpaci-dusseau A, et al. Deploying Virtual Machines as Sandboxes for the Grid[C]. Second Workshop on Real, Large Distributed Systems, San Francisco, CA. 2005: 7-12.
[106] Krsul I, Ganguly A, Zhang J, et al. VMPlants: Providing and Managing Virtual Machine Execution Environments for Grid Computing[C]. ACM/IEEE Supercomputing 2004 Conference (SC'04), Washington, DC, USA. 2004: 7.
[107] Zhao X, Borders K, Prakash A. SVGrid: A Secure Virtual Environment for Untrusted Grid Applications[C]. ACM/IFIP/USENIX 6th International Middleware Conference, Grenoble, France. 2005: 1-6.
[108] Qumranet. KVM: Kernel-based Virtualization Driver[Z]. http://www.qumranet. com/wp/kvm_wp.pdf. Access at Oct 16, 2007.
[109] Tan L, Chan E M, Farivar R, et al. iKernel: Isolating Buggy and Malicious Device Drivers Using Hardware Virtualization Support[C]. Proceedings of the 3th IEEE International Symposium on Dependable, Autonomic and Secure Computing (DASC'07), Columbia, MD, USA. 2007: 134-144.
[110] Kwan P C, Durfee G. Practical Uses of Virtual Machines for Protection of Sensitive User Data[C]. Proceedings of The 3rd Information Security Practice and Experience Conference (ISPEC'07), Hong Kong, China. 2007: 1-17.
[111] Lagar-cavilla H A, Tolia N, Satyanarayanan M, et al. VMM-Independent Graphics Acceleration[C]. Proceedings of the Third International ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments (VEE '07), San Diego, California, USA. 2007: 33-43.
[112] Popek G J, Goldberg R P. Formal Requirements for Virtualizable Third Generation Architectures[J]. Communications of the ACM. 1974, 17(7): 412-421.
[113] Microsoft. What is the Windows Integrity Mechanism?[Z]. http://msdn.microsoft .com/en-us/library/bb625957.aspx. Access at Feb 20, 2008.
[114] Safford D, Zohar M. Trusted Computing and Open Source[J]. InformationSecurity Technical Report. 2005, 10(2): 74-82.
[115] Bolshakov K, Reshetova E. FreeBSD Mandatory Access Control Usage for Implementing Enterprise Security Policies[Z]. http://arxiv.org/abs/0706.1755v1. Access at Mar 2, 2008.
[116] Mark G. G, Kenneth R. Van W. Secure Coding: Principles & Practices[M]. O'Reilly, 2003.
[117] Jonsson E, Olovsson T. A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior[J]. IEEE Transactions on Software Engineering. 1997, 23(4): 235-245.
[118] Russinovich M E, Solomon D A. Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server 2003, Windows XP, and Windows 2000[M]. Microsoft Press, 2004.
[119]温研.基于通用有限状态机的网络行为监控系统的研究与实现,硕士论文[D].长沙:国防科学技术大学, 2004.
[120] Richard J, Rafael D L. Garbage Collection: Algorithms for Automatic Dynamic Memory Management[M]. 1997, 1997.
[121] Vmware. Experimental Support for Direct3D[Z]. http://www.vmware.com/ support/ws55/doc/ws_vidsound_d3d_audience.html. Access at Nov 16, 2007.
[122] Sivathanu M, Bairavasundaram L N, Arpaci-dusseau A C, et al. Life or Death at Block Level[C]. Proceedings of the 6th Symposium on Operating Systems Design and Implementation(OSDI'04), San Francisco, California, USA. 2004: 379–394.
[123] Wireshark[Z]. http://www.wireshark.org/. Access at Oct 18, 2007.
[124] Tamosoft. CommView[Z]. http://www.tamos.com/products/commview/. Access at Sep 16, 2007.
[125] Microsoft. Windows Malicious Software Removal Tool[Z]. http://www.microsoft .com/security/malwareremove/. Access at Oct 18, 2007.
[126] Aphex: AFX Windows Rootkit 2003[Z]. http://www.iamaphex.cjb.net. Access at Oct 19, 2007.
[127] Hacker Defender[Z]. http://hxdef.org/. Access at Dec 18, 2007.
[128] Fuzen. FU Rootkit[Z]. http://www.rootkit.com/project.php?id=12. Access at Sep 20, 2007.
[129] Silberman P, C H A. FUTo: Bypassing Blacklight and IceSword[Z]. https://www. rootkit.com/newsread.php?newsid=433. Access at Oct 22, 2007.
[130] Pe. phide_ex -untimate process hiding example[Z]. http://forum.sysinternals.com/ printer_friendly_posts.asp?TID=8527. Access at Nov 18, 2007.
[131] Anti Rootkit Group[Z]. http://www.antirootkit.com/blog/. Access at Nov 22, 2007.
[132] F-Secure Blacklight[Z]. http://www.f-secure.com/blacklight/. Access at Nov 2, 2007.
[133] DarkSpy[Z]. http://www.fyyre.net/~cardmagic/index_en.html. Access at Nov 3, 2007.
[134] Icesword[Z]. http://pjf.blogcn.com/index.shtml. Access at Nov 2, 2007.
[135] RootKit Unhooker[Z]. http://rku.nm.ru/. Access at Nov 6, 2007.
[136] UnHackMe[Z]. http://www.greatis.com/unhackme/. Access at Nov 6, 2007.
[137] Gmer[Z]. http://www.gmer.net/index.php. Access at Nov 5, 2007.
[138] Kernel Hidden Process/Module Checker[Z]. http://www.security.org.sg/code/ kproccheck.html. Access at Nov 2, 2007.
[139] Process Hunter[Z]. http://ms-rem.dot-link.net. Access at Nov 6, 2007.
[140] TaskInfo[Z]. http://www.iarsn.com/taskinfo.html. Access at Nov 6, 2007.
[141] AFX Rootkit 2005[Z]. http://www.rootkit.com/project.php?id=23. Access at Nov 5, 2007.
[142] port/connection hiding[Z]. http://www.rootkit.com/newsread.php?newsid=143. Access at Nov 5, 2007.
[143] Uty. kernel tcp librAry[Z]. http://www.rootkit.com/newsread.php?newsid=591. Access at Nov 12, 2007.
[144] Hunt G, Brubacher D. Detours: Binary Interception of Win32 Functions[C]. Proceedings of the 3rd USENIX Windows NT Symposium, Seattle, Washington, USA. 1999: 135-143.
[145] ProBot SE[Z]. http://sharewareconnection.com/probot-se.htm. Access at Nov 12, 2007.
[146] Clandestine File System Driver[Z]. http://www.rootkit.com/newsread.php?newsid =386. Access at Nov 12, 2007.
[147] Effective File Hiding : Bypassing Raw File System I/O Rootkit Detector[Z]. http://www.rootkit.com/newsread.php?newsid=690. Access at Nov 15, 2007.
[148] Einstein. How to avoid the detection of hidden regkey by hooking RegSaveKeyA[Z]. https://www.rootkit.com/newsread.php?newsid=27. Access at Nov 12, 2007.
[149] weasel I M. How to avoid the detection of hidden regkey by hooking NtSaveKey![Z]. http://www.rootkit.com/newsread.php?newsid=420. Access at Nov 10, 2007.
[150] Linux NTFS file system support[Z]. http://www.linux-ntfs.org/doku.php. Access at Nov 20, 2007.
[151] Chen X, Andersen J, Mao Z M, et al. Towards an Understanding of Anti-virtualization and Anti-debugging Behavior in Modern Malware[C]. Proceedings of 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'08), Anchorage, Alaska, USA. 2008: 1-10.
[152] Liston T, Skoudis E. On the Cutting Edge: Thwarting Virtual Machine Detection[Z]. http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_ Skoudis.pdf. Access at Feb 12, 2007.
[153] Garfinkel T, Adams K, Warfield A, et al. Compatibility is Not Transparency: VMM Detection Myths and Realities[C]. 11th Workshop on Hot Topics in Operating Systems (HotOS'07), San Diego, California, USA. 2007: 1-6.
[154] Ferrie P. Tumours and Polips[Z]. http://pferrie.tripod.com/vb/polip.pdf. Access at Oct 12, 2007.
[155] Klein T. jerry - A(nother) VMware Fingerprinter[Z]. http://www.trapkit.de/ research/vmm/jerry/index.html. Access at Oct 10, 2007.
[156] Vmware. Open Virtual Machine Tools[Z]. http://open-vm-tools.sourceforge.net/. Access at Feb 12, 2008.
[157] Ferrie P. Attacks on Virtual Machine Emulators[C]. AVAR Conference, 2006: .
[158] Distributed Management Task Force, Inc. System Management BIOS Reference Specification, v2.6 Preliminary[Z]. http://www.dmtf.org/standards/ published_documents/DSP0134.pdf. Access at May 12, 2008.
[159] Dell. Libsmbios[Z]. http://linux.dell.com/libsmbios/main/index.html. Access at May 2, 2008.
[160] Klein T. scoopy_doo VM detection tool[Z]. http://www.trapkit.de/research/vmm /scoopydoo/scoopy_doo.htm. Access at Feb 20, 2008.
[161] Rutkowska J. Red Pill... or how to detect VMM using (almost) one CPU instruction[Z]. http://www.invisiblethings.org/papers/redpill.html. Access at May 20, 2008.
[162] Adams K, Agesen O. A Comparison of Software and Hardware Techniques for x86 Virtualization[C]. Proceedings of The 12th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS'06), Seattle, WA, USA. 2006: 2-13.
[163] HWiNFO32[Z]. http://www.hwinfo.com/. Access at May 12, 2008.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |