Tao CHEN,M WANG

DOI: https://doi.org/10.3969/j.issn.1673-629X.2019.02.006

2019-01-01

Abstract:Runtime verification is a new lightweight automatic verification technique.The verification software used in this technology is composed of two parts:one part is the monitored target program;the other is the monitor.The main idea of the runtime verification method based on formalized language is to input a formal specification syntax that represents events and properties and target program, and output a new program.The new program with inserting pile will execute the corresponding function to judge whether it satisfies the formal specification grammar when it meets the point that needs to be monitored.However, when the traditional single thread runtime verification monitor has many properties that the target program needs to monitor, the regenerated program may slow down the performance of the program because of the more specified nature.In this paper, we optimize the prototype tool Movec by using multi-core parallel technology.Through the way of serial program monitor assigned to multithreading, Clang compiler's piling technology and multi-core task allocation method have realized the optimization of Movec prototype tools.The optimized Movec is compared with the experimental data without the improved tools, which shows that the multithread operation method has a better effect.

Ding Shun,Li Minglu,Weng Chuliang,Liu Qian

DOI: https://doi.org/10.3969/j.issn.1000-386X.2012.06.015

2012-01-01

Abstract:As virtualization is widely applied to various fields such as cloud computing,it gradually becomes a target that various malicious attacks aim at.The runtime security of virtual machines is of the most importance.Aiming at this problem,a monitoring scheme suitable for virtualized environments is proposed.Moreover a security monitoring prototype system of a virtual machine is implemented in Xen.With this scheme,a privileged virtual machine can execute dynamic and customized monitoring upon the massive client virtual machines hosted in a same physical machine.Particularly,this system is very effective at detecting rootkits inside OS kernels.The security monitoring scheme can effectively increase the security not only of client virtual machines but also of the whole VM system.

Hong Zhang,Xinran Liu,Chunge Zhu,Qian Liu

DOI: https://doi.org/10.1109/ccis.2012.6664452

2012-01-01

Abstract:This paper designs a new integrated runtime monitoring method for the Internet-Based Virtual Computing Environment (iVCE). This method consolidates basic state monitoring of virtual resources and application state monitoring of virtual tasks. To validate our methodology, we developed a monitoring system for an iVCE testbed of more than 1000 nodes.

JIANG Nan,WU Jun-Min,ZHU Xiao-Dong,LI Li-Feng,ZHANG Peng-Fei,HUANG Jing

DOI: https://doi.org/10.3969/j.issn.1003-3254.2012.09.003

2012-01-01

Abstract:With the era of multi-core processors,virtualization technology is widely used,and multi-core virtual machine is one of them.The current multi-core virtual machine monitors are generally used hardware virtualization technology through simulating a number of virtual serial ports to monitor for the purpose.This inventive,given based on shared memory multi-core system-level monitoring system virtualization solution,and gives a complete design and implementation.

Yong-gang LIU,Min LI,Qian-xiang WANG,Hong MEI

2007-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:Runtime software monitoring and analyzing is not only the approach to improve the quality of software, but also the basis of adaptive software. This paper proposes a pattern-based declarative approach to specify constraints. Based on this approach we implemented a runtime monitoring and analyzing framework on J2EE middleware PKUAS. The most special points of the framework are the flexibility of deploying probes and business logic oriented monitoring. In the end, the paper describes the implementation details and evaluation result of the framework.

Guo Changguo,Wang Tao

DOI: https://doi.org/10.1109/cmce.2010.5610486

2010-01-01

Abstract:Software runtime state provides rich information to do various analysis of the system. However, the current runtime monitoring techniques entangle state fetching logic and corresponding processing logic, which limits the use of the state information and doesn't support information synthesizing either. In this paper, we proposed a runtime state fetching method which separates them. We designed a State Fetching Description language (SFDL) to describe state monitoring requirement, and implemented a compiling framework to compile the SFDL into monitor probes, gather runtime state information and store them in a general form for future use. Such design separates the state fetching logic from information processing logic, liberates the runtime state information from specific usage and makes it possible to synthesize runtime state information which is important for distributed system to get the overall state. In the end, we applied our approach to performance tuning on a distributed system. Based on the obtained detailed running state, we are able to identify some performance bottlenecks and improve the software.

Xianxian Li,Changhui Jiang,Jianxin Li,Bo Li

DOI: https://doi.org/10.1109/NCIS.2011.21

2011-01-01

Abstract:Malicious software is one of the primary threats to information system on Internet, while the traditional host-based and network-based monitoring systems are vulnerable to prevent the malicious behavior of software because most current malicious software is capable of resisting security monitoring. Virtualization technology gives an impactful approach to monitoring the behavior of malicious software since it can provide an abstraction layer between the operating system and the hardware. In this paper, we propose a hardware-virtualization-based security monitor system named VMInsight, which can provide load-time and run-time monitoring for processes. VMInsight intercepts system calls and process behaviors by monitoring changes in the virtual machine CPU register, and it is implemented in the hyper visor, thus is completely transparent to the software and operating system running in the virtual machine. The experimental results show that the performance overhead of VMInsight is less than 10%, and it can be easily applied to the third-party security monitoring system.

杜海,陈榕

DOI: https://doi.org/10.3969/j.issn.1000-3428.2009.08.030

2009-01-01

Abstract:Aiming at the problems existed in Operating System(OS) process monitoring, a new full-virtualization-based process monitoring method is proposed. It uses full virtualization technology to detect and isolate all the harmful behaviors of untrusted processes in OS. Experimental results show this method has better performances of pellucidity and portability, which can prevent against multiple attacks and incur only a small amount of performance overhead.

Nan Li,Bo Li,Jianxin Li,Tianyu Wo,Jinpeng Huai

DOI: https://doi.org/10.1109/HPCC.and.EUC.2013.194

2013-01-01

Abstract:Cloud computing service has been evolved in providing a whole virtual data center from selling scattered virtual machines (VMs). Process Monitoring of a VM is a fundamental feature to guarantee the security of the virtual data center because of the rapid growth of the malware. Existing approaches are mainly based on virtual machine introspection (VMI) technique to isolate the monitor out-of-vm and designed to inspect the VM internal processes. However, few of them consider the real time control of process execution in the VMs, such as process termination or files operation conducted by the process. Early VMI-based solutions relied on some specific OS kernel data structures, so they need to know the OS information in advance instead of identifying the OS version at runtime for operating system compatible. In this paper, we propose a novel out-of-the-box process monitor named vMON, which can not only identify different guest OS versions and reconstruct rich semantic information for the target VM processes at runtime, but also control the behaviors of processes with fine granularity. In addition, vMON provides uniform programming interfaces to support the development of application-level security tools. A prototype of vMON has been implemented in kernel-based virtual machine (KVM) hypervisor, and its effectiveness and performance have also been evaluated through several experiments. The results show that vMON can successfully identify, analyze and control the behaviors of the processes in Guest OS with acceptable performance overhead. vMon incurs 0.74%similar to 10.20% I/O overhead and 0.003s average interface return time.

Zhang Yanyuan,Liu Min,Ye Jun,Jiang Liyuan

1995-01-01

Xibei Gongye Daxue Xuebao/Journal of Northwestern Polytechnical University

Abstract:Ref. does not offer any information for monitoring 3L Parallel FORTRAN. To meet this monitoring need, the authors have developed a method that is generally applicable to monitoring various parallel programs. In fact, due to the great difficulties involved, there exist, to the authors' best knowledge, only special systems for monitoring specific parallel software such as GMAT of Cray and INSTANT of BBN. The authors' strategy can be essentially described by what follows. The authors place a great number of probes into the user's parallel programs. These probes can monitor any trouble occuring in any part of the parallel programs when it is running and report through a special communication network to a special management system. Thus the users can discover any trouble that occurs when running the parallel programs. As a step towards solving the problems associated with dynamic tracing of parallel programs, the authors developed an appropriate state transition mechanism for tasks. Recently the authors' method was examined by a group of Chinese experts organized by the funding agency. The method was deemed to be novel, dependable, and useful.

Liu Mingcan,Jiang Nan,Du Chenglie

DOI: https://doi.org/10.3969/j.issn.1671-4598.2013.02.044

2013-01-01

Abstract:System supporting environment oriented to complex virtual test application provides a good synchronization and interoperability support for all types of test applications.In order to guarantee the correctness and stability of the whole system and applications under supporting environment,it needs a monitoring tool.After analyzing the VTSE prototype architecture,this paper researches the interactive relationship between monitoring module and other modules,and then designs monitoring module division and monitoring program.This paper also determines the monitoring content and accessing method,and the monitoring information storage and viewing method.Finally,the VTSESPY tool is realized.Through several tests verify the information monitoring and exception catching functionalities of VTSESPY,and obtain good result.

Guofu Xiang,Hai Jin,Deqing Zou

DOI: https://doi.org/10.1109/icoin.2012.6164438

2012-01-01

Abstract:Virtualization can divide or aggregate the underlying resource flexibly, and it attracts attention from both academic and industry in recent years. Guest operating systems in virtual machines can be various, and the states of virtual machines changes all the time. Due to the complexity of virtual computing environment, it brings tremendous challenges for security monitoring. Existing monitoring mechanism can not adapt to the dynamic and diversity of virtual machines. Therefore, a comprehensive monitoring framework, named ComMon, is proposed in this paper, which implements comprehensive monitoring from three aspects: network, process, and file. It has the characteristics of real-time, transparency and generality.

Dongyang Zhan,Lin Ye,Binxing Fang,Hongli Zhang,Xiaojiang Du

DOI: https://doi.org/10.1007/s00500-017-2745-x

2017-01-01

Abstract:Kernel control-flow integrity (CFI) of virtual machines is very important to cloud security. VMI-based dynamic tracing and analyzing methods are promising options for checking kernel CFI in cloud. However, the CFI monitors based on tracing always work at instruction or branch level and result in serious virtual machine performance degradation. To meet the performance requirements in the cloud, we present a page-level dynamic VMI-based kernel CFI checking solution. We trace VM kernel execution at page level, which means that the in-page instruction execution cannot trigger our monitor. As a result, the tracing overhead can be greatly reduced. Based on page-level execution information, we propose two policies to describe the kernel control-flow so as to build the secure kernel control-flow database in the learning stage. In the monitoring stage, we compare runtime execution information with the secure database to check kernel CFI. To further reduce the monitoring overhead, we propose two performance optimization strategies. We implement the prototype on Xen and leverage hardware events to trace VM memory page execution. Then, we evaluate the effectiveness and performance of the prototype. The experimental results prove that our system has enough detection capability and the overhead is acceptable.

XIANG Guo-Fu,JIN Hai,ZOU De-Qing,CHEN Xue-Guang

DOI: https://doi.org/10.3724/sp.j.1001.2012.04219

2012-01-01

Journal of Software

Abstract:In recent years, virtualization technology is the novel trendy of computer architecture, and it provides a solution for security monitoring.Due to the highest privilege and the smaller trusted computing base of virtual machine monitor, security tools, deployed in an isolated virtual machine, can inspect the target virtual machine with the help of virtual machine monitor.This approach can enhance the effectiveness and anti-attack ability of security tools.From the aspect of the implementation technologies, existing research works can be classified into internal monitoring and external monitoring.According to the different targets, the related works about virtualization-based monitoring are introduced in this paper in detail, such as intrusion detection, honeypot, file integrity monitoring, malware detection and analysis, security monitoring architecture and the generality of monitoring.Finally, this paper summarizes the shortcomings of existing works, and presents the future research directions.It is significant for virtualization research and security monitoring research.

Tian Donghai,Jia Xiaoqi,Chen Junhua,Hu Changzhen

DOI: https://doi.org/10.1109/cc.2016.7405709

2016-01-01

Abstract:Recently, virtualization technologies have been widely used in industry. In order to monitor the security of target systems in virtualization environments, conventional methods usually put the security monitoring mechanism into the normal functionality of the target systems. However, these methods are either prone to be tempered by attackers or introduce considerable performance overhead for target systems. To address these problems, in this paper, we present a concurrent security monitoring method which decouples traditional serial mechanisms, including security event collector and analyzer, into two concurrent components. On one hand, we utilize the SIM framework to deploy the event collector into the target virtual machine. On the other hand, we combine the virtualization technology and multi-core technology to put the event analyzer into a trusted execution environment. To address the synchronization problem between these two concurrent components, we make use of Lamport's ring buffer algorithm. Based on the Xen hypervisor, we have implemented a prototype system named COMO. The experimental results show that COMO can monitor the security of the target virtual machine concurrently within a little performance overhead.

Xueyuan Yin,Xingshu? Chen,Shusong Tao,Lin Chen

DOI: https://doi.org/10.13232/j.cnki.jnju.2019.02.007

2019-01-01

Abstract:To solve the problem of user virtual machine monitoring in cloud environment,a virtual machine security monitoring method based on real time online analysis of virtual machine memory was proposed.With high privilege of the virtualization layer,virtual machine memory could be obtained outside of virtual machines online transparently. By using the memory analysis mechanism derived from the field of internal forensics,the semantic knowledge of virtual machine memory can be revealed by analyzing some important kernel structures of the virtual machine memory online in the virtualization layer,which effectively solves the semantic gap between the virtual machine and the virtualization layer and leads to achieving fine granularity of information monitoring of virtual machines.Because the monitoring code is under the virtualization layer,outside of the monitored virtual machine and isolated from virtual machine internal codes by the virtualization mechanism,there is no need to deploy monitoring agents in the users’virtual machine.Therefore,any malicious code inside the virtual machine can not bypass and destroy the security monitoring code under the virtualization layer and the transparency and security of the method is improved. The experimental results show that the method can provide a cloud security monitoring service for virtual machines at lower performance cost with agentless.

Liu Weijie,Wang Lina,Tan Cheng,Xu Lai

DOI: https://doi.org/10.7544/issn1000-1239.2017.20170452

2017-01-01

Journal of Computer Research and Development

Abstract:Virtualization technology as the basis of cloud computing has been widely used , while security issues of virtual machine have been attracted more and more attention .The virtual machine introspection ,as an "out-of-the-box" method leveraged to monitoring virtual machine ,provides a new perspective for solving the security problems .Aiming at this situation ,a triggering mechanism based on VMFUNC is proposed .Taking the advantages of the CPU hardware features VM -Function and RDTSC emulation ,the mechanism minimizes the overhead of VM exits .Based on the extended page table view switching through the VM FUNC ,our mechanism avoids the system pause caused by VMI programs .By means of overloading VM FUNC and Xentrace ,our method can trigger VMI programs actively ,thus overcoming the VMI program resident consumption .In this paper ,a VMI-as-a-service system is implemented and verified by experiments .The results show that the performance cost is no more than 2% ,which makes VMI widely being used possible in practical cloud environment .

Jun Zhu,Changguo Guo,Quan Yin,Jianlu Bo,Quanyuan Wu

DOI: https://doi.org/10.1109/icycs.2008.298

2008-01-01

Abstract:Software runtime monitoring mechanisms can be used to increase the dependability of software systems. However, it is a complex and burdensome job for developers to rebuild existing software systems by adding software runtime monitoring mechanism. Meanwhile, current software runtime monitoring mechanisms are mainly restricted to monitor centralized software systems. This paper presents a novel method, in which distributed software runtime monitoring mechanism is applied to construct dependable software systems, by using AOP technique. This method can satisfy users' changeful monitoring requirements, and decrease the development pressure of developers. Distributed software runtime monitoring mechanism, the kernel of which is a monitoring Web service that can collect runtime monitoring information and provide constant online monitoring information access service, can be repeatedly reused in software systems as a non-functional aspect that has been modeled in this paper. Then we implement a construction platform, which can automatically generate monitoring code and monitoring Web service according to users' monitoring requirements, automatically instrument monitoring code and service into the source code of software system, and then remotely monitor the instrumented software system through monitoring Web service, in terms of this essential idea. We choose a typical multi-thread program as a case study to demonstrate the practicability and feasibility of the approach.

Kang Yu,Zhen Bang Chen,Wei Dong

DOI: https://doi.org/10.4028/www.scientific.net/amr.1078.333

2014-01-01

Advanced Materials Research

Abstract:For some key fields like energy, traffic, etc., the system software has high reliability demands, so that monitors not only need to pay attention on the current action of the system, but also the prediction of future software behavior to avoid disaster. However once been deployed, the only determinate characteristic can be used to predict is just the static software information. In this paper, we construct the method for getting the monitor which can predict the future event at runtime, and experiment to study the effect on the origin program. The results demonstrate that the predictive monitor is generally helpful.

Zheyuan Liu,Dejun Mu

2012-01-01

Journal of Xidian University

Abstract:Computer malware has forced the transfer of the traditional in-host security tools to the development of VMM-based solutions which isolate the anti-malware software from untrusted systems.However,the inherent semantic gap poses a great challenge in supporting existing monitoring tools.In this paper,we present a process transferring method for fine-grained process execution monitoring to address both isolation and compatibility problems.Also by redirecting system calls invoked by the suspect process we guarantee the execution flow of the transferred process.Evaluation results show its effectiveness and feasibility with a tiny influence on the system.