ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2019, Vol. 56 ›› Issue (7): 1470-1487.doi: 10.7544/issn1000-1239.2019.20180577

• 信息安全 • 上一篇    下一篇

基于动态策略学习的关键内存数据访问监控

冯馨玥1,2,杨秋松1,石琳1,王青1,2,3,李明树1   

  1. 1(中国科学院软件研究所基础软件国家工程研究中心 北京 100190);2(中国科学院大学 北京 100049);3(计算机科学国家重点实验室(中国科学院软件研究所) 北京 100190) (xinyue@nfs.iscas.ac.cn)
  • 出版日期: 2019-07-01
  • 基金资助: 
    “核高基”国家科技重大专项基金项目(2014ZX01029101-002);国家自然科学基金项目(61432001);中国科学院战略性先导科技专项(XDA-Y01-01);国家自然科学基金青年科学基金项目(61802374)

Critical Memory Data Access Monitor Based on Dynamic Strategy Learning

Feng Xinyue1,2, Yang Qiusong1, Shi Lin1, Wang Qing1,2,3, Li Mingshu1   

  1. 1(National Engineering Research Center for Fundamental Software, Institute of Software, Chinese Academy of Sciences, Beijing 100190);2(University of Chinese Academy of Sciences, Beijing 100049);3(State Key Laboratory of Computer Science(Institute of Software, Chinese Academy of Sciences), Beijing 100190)
  • Online: 2019-07-01

摘要: 在基于虚拟机监控器(virtual machine monitor, VMM)的系统监控中,通常需要截获关键内存访问事件和关键指令执行从而监控细粒度的内存访问行为.然而利用VMM截获内存访问行为使得CPU控制权频繁陷入VMM中,导致性能开销巨大.当前已有的研究为了解决该问题,在内核编译阶段修改内核源码或者直接修改内核二进制文件,将安全关键数据重定向到单独的区域以减小陷入VMM的频率.然而这些方法必须修改被监控系统本身,并且被监控的区域在系统运行阶段不能修改,很大程度上影响了它们的应用场景,并且不够灵活.为了解决以上问题,提出了一种运行时动态调整需要监控的安全关键内存数据的方法DynMon,该方法对被监控的系统透明且不需要修改被监控系统.首先,通过对历史数据的收集和分析,自动学习系统运行状态和安全关键数据访问行为间的关系,将其作为安全关键数据监控策略的依据.然后,对系统运行状态实时监控,根据安全关键数据的监控策略,实时动态调整需要监控的内存访问区域,以减小不必要的监控带来的性能开销.实验结果表明:与没有动态监控策略的方法相比,该方法减小了22.23%的额外性能开销,并且在加大内存监控规模时,并不会过大增加系统的性能开销.

关键词: 安全关键数据, 内存访问监控, 监控策略, 序列模式挖掘, 事件截获

Abstract: VMM-based approaches have been widely adopted to monitor fine-grained memory accessing behavior through intercepting safety-critical memory accessing and critical instructions executing. However, intercepting memory accessing operations lead to significant performance overhead as CPU control travels to VMM frequently. Some existing approaches have been proposed to resolve the performance problem by centralizing safety critical data to given memory regions. However, these approaches need to modify the source code or binary file of the monitored system, and cannot change monitoring strategies during runtime. As a result, the application scenarios are limited. To reduce the performance overhead of monitoring memory access in this paper, we propose an approach, named DynMon, which controls safety-critical data access monitoring dynamically according to system runtime states. It does not dependent on source code and need not to modify binary file of the monitored systems. DynMon obtains dynamic monitor strategies by learning from historical data automatically. With system runtime status and monitor strategies, DynMon decides memory access monitoring region dynamically at runtime. As a result, DynMon can alleviate system performance burden by reducing safety irrelevant region monitoring. The evaluations prove that it can alleviate 22.23% performance cost compared with no dynamic monitor strategy. Besides, the performance overhead will not increase significantly with large numbers of monitored data.

Key words: safety critical data, memory access monitor, monitor strategy, sequence pattern mining, event intercept

中图分类号: