クラウド上の仮想マシンの安全なリモート監視機構

全文

(1)情報処理学会研究報告 IPSJ SIG Technical Report. Vol.2013-OS-126 No.20 2013/8/1. Ϋϥ΢υ্ͷԾ૝Ϛγϯͷ҆શͳϦϞʔτ‫ߏػࢹ؂‬ ॏా Ұथ1. ޫདྷ ݈Ұ1,2. ֓ཁɿ৵ೖ‫ݕ‬஌γεςϜʢIDSʣΛ҆શʹ࣮ߦͰ͖ΔΑ͏ʹ͢ΔͨΊʹɼԾ૝ϚγϯʢVMʣΛ༻͍ͨ IDS Φϑϩʔυख๏͕ఏҊ͞Ε͍ͯΔɽ͜ͷख๏͸‫ࢹ؂‬ର৅ͷ VM ͱ͸ผͷ VM Ͱ IDS Λಈ࡞ͤ͞Δख๏Ͱ ͋Δɽ͔͠͠ɼΫϥ΢υ಺Ͱ IDS ΛΦϑϩʔυ͢Δ৔߹ɼΫϥ΢υͷ؅ཧऀ͕ৗʹ৴པͰ͖Δͱ͸‫ݶ‬Βͳ ͍͜ͱ͔Β IDS ͷਖ਼ৗͳ࣮ߦΛอূͰ͖ͳ͍ɽຊߘͰ͸ɼ‫ࢹ؂‬ର৅ VM ͕ಈ࡞͍ͯ͠ΔΫϥ΢υͱ͸ผͷ ϗετʹ IDS ΛΦϑϩʔυ͠ɼωοτϫʔΫ‫ܦ‬༝Ͱ҆શʹ‫ࢹ؂‬ର৅ VM Λ‫͖Ͱࢹ؂‬ΔΑ͏ʹ͢ΔγεςϜ RemoteTrans ΛఏҊ͢ΔɽRemoteTrans Ͱ͸৴པͰ͖Δϗετ্Ͱ IDS Λಈ࡞ͤ͞Δ͜ͱͰɼIDS ͷఀ ࢭ΍վ͟ΜΛ๷͙ɽ·ͨɼIDS ͱΫϥ΢υ಺ͷԾ૝ϚγϯϞχλʢVMMʣͷؒͰ੔߹ੑνΣοΫΛߦ͏͜ ͱͰɼIDS ͕ࢀর͢Δσʔλͷվ͟ΜΛ‫ݕ‬ग़͢ΔɽRemoteTrans Λ Xen ʹ࣮૷͠ɼVM Shadow Λ༻͍ͯ ‫ط‬ଘͷ IDS Λಈ࡞ͤ͞ΒΕΔ͜ͱΛ֬ೝͨ͠ɽ ΩʔϫʔυɿԾ૝ϚγϯɼϦϞʔτ‫ࢹ؂‬. Secure Remote Monitoring of Virtual Machines on Clouds Kazuki Juda1. kenichi kourai1,2. Abstract: To execute intrusion detection systems (IDSes) securely, offloading IDSes with virtual machine (VMs) has been proposed. This technique runs IDSes on one VM and a monitored system on another VM. However, when IDSes are offloaded in clouds, trusted execution of them is not guaranteed because cloud administrators are not always trustworthy. This paper proposes RemoteTrans for securely monitoring VMs in clouds via networks by offloading IDSes on other hosts. RemoteTrans prevents IDSes from being terminated or tampered with by running them on trusted hosts. In addition, it detects the tampering with requested data by checking the integrity of the data between IDSes and the virtual machine monitor (VMM) in clouds. We have implemented RemoteTrans in Xen and confirmed that several existing IDSes could run by using VM Shadow. Keywords: Virtual machine,remote monitoring. 1. ͸͡Ίʹ IaaS ‫ܕ‬Ϋϥ΢υͷී‫ʹٴ‬ΑΓɼϢʔβ͸ࣗ਎ͷαʔόΛ Ϋϥ΢υ্ͷԾ૝ϚγϯʢVMʣͰಈ࡞ͤ͞Δ͜ͱ͕ଟ͘. Βɼ߈ܸऀ͸Ϋϥ΢υΛ߈ܸର৅ͱ͢Δ͜ͱͰɼαʔόΛ ޮ཰Α͘‫͚ͭݟ‬ग़ͯ͠߈ܸͰ͖ΔͨΊͰ͋Δɽ·ͨɼΫϥ ΢υͰ͸༰қʹ VM Λ࡞੒Ͱ͖ΔͨΊɼύον͕ະద༻Ͱ ਖ਼͘͠؅ཧ͞Ε͍ͯͳ͍ VM ΋͋Γ͑Δɽ. ͳ͖ͬͯͨɽΫϥ΢υ্ͰαʔόΛಈ࡞ͤ͞Δ͜ͱʹΑͬ. ͦͷͨΊɼΫϥ΢υ্ͷ VM ͰαʔόΛಈ࡞ͤ͞Δ৔߹. ͯɼ෺ཧϚγϯΛࣗ෼Ͱ༻ҙ͢Δඞཁ͕ͳ͘ίετΛ࡟‫ݮ‬. ͸৵ೖ‫ݕ‬஌γεςϜʢIDSʣʹΑΔ‫͢·͢·͕ࢹ؂‬ॏཁʹ. ͢Δ͜ͱ͕Ͱ͖Δɽ͔͠͠ɼΫϥ΢υʹू໿͞Εͨଟ͘ͷ. ͳΔɽ͔͠͠ɼIDS Λ VM ಺Ͱಈ࡞͍ͤͯ͞ΔͱɼVM ʹ. αʔό͸ɼ߈ܸऀʹΑΔ߈ܸͷର৅ʹͳΓ΍͍͢ɽͳͥͳ. ৵ೖ͞Εͯ IDS ࣗ਎͕ແྗԽ͞Εͯ͠·ͬͨ৔߹ɼҎ߱ͷ ߈ܸΛ‫ݕ‬஌Ͱ͖ͳ͘ͳͬͯ͠·͏ɽ͜ͷ໰୊Λղܾ͢Δͨ. 1 2. ‫۝‬भ޻‫ۀ‬େֶ Kyushu Institute of Technology ಠཱߦ੓๏ਓՊֶٕज़ৼ‫ߏػڵ‬, CREST. ⓒ 2013 Information Processing Society of Japan. ΊʹɼVM Λ༻͍ͨ IDS ͷΦϑϩʔυख๏͕ఏҊ͞Ε͍ͯ Δ [1]ɽ͜ͷख๏Ͱ͸ɼ‫ࢹ؂‬ର৅͕ಈ࡞͍ͯ͠Δ VM ͱ͸. 1.

(2) 情報処理学会研究報告 IPSJ SIG Technical Report. Vol.2013-OS-126 No.20 2013/8/1. ผͷ VM ʹ IDS ΛΦϑϩʔυ͠ɼVM ͷ֎͔ΒγεςϜͷ ‫ࢹ؂‬Λߦ͏ɽ؅ཧ VM ͳͲͷ IDS Λಈ࡞ͤ͞Δ VM Ͱ͸ Ͱ͖Δ͚ͩଞͷαʔϏεΛఏ‫͍ͳ͠ڙ‬Α͏ʹ͢Δ͜ͱͰɼ ߈ܸΛड͚ʹ͘͘͢Δ͜ͱ͕ͰՄೳͰ͋Δɽ͜ΕʹΑΓɼ ҆શʹ IDS Λಈ࡞ͤ͞Δ͜ͱ͕ՄೳͱͳΔɽ ҰํɼΫϥ΢υͷதͰ IDS ΦϑϩʔυΛߦͬͯ΋ IDS ͕ ਖ਼͘͠ಈ࡞͢Δ͜ͱΛอূ͢Δ͜ͱ͸Ͱ͖ͳ͍ɽΫϥ΢υ ͷ؅ཧऀ͕ඞͣ͠΋৴པͰ͖Δͱ͸‫ݶ‬Βͳ͍ͨΊͰ͋Δɽ ؅ཧ VM ͷηΩϡϦςΟରࡦ͕ෆे෼ͳ৔߹ɼ֎෦ͷ߈ܸ. ਤ 1. ऀʹ৵ೖ͞ΕΔ‫ڪ‬Ε͕͋Δ্ɼ؅ཧऀʹѱҙ͕͋Δ͜ͱ΋. VM Λ༻͍ͨ IDS Φϑϩʔυ. ߟ͑ΒΕΔɽ͜ͷΑ͏ͳ৔߹ɼIDS Λఀࢭͤ͞ΒΕͨΓɼ ਖ਼͘͠৵ೖΛ‫ݕ‬஌͠ͳ͍Α͏ʹվ͟Μ͞ΕͨΓ͢Δ‫ڪ‬Ε. VM ͷ؅ཧΛߦ͏ಛ‫ݖ‬Λ࣋ͬͨ؅ཧ VM ͕༻͍ΒΕΔ͜ͱ. ͕͋Δɽ·ͨɼIDS Λվ͟Μ͠ͳ͘ͱ΋ɼIDS ͕‫ࢹ؂‬ର৅. ͕ଟ͍͕ɼ‫ࢹ؂‬ઐ༻ʹ։ൃ͞ΕͨυϝΠϯ M [4] ͳͲΛ༻. VM ͔Βऔಘ͢ΔσʔλΛվ͟Μ͢Δ͜ͱͰແྗԽ͢Δ͜. ͍Δ͜ͱ΋Ͱ͖Δɽ͜ͷख๏Λ༻͍Δ͜ͱʹΑΓɼ‫ࢹ؂‬ର. ͱ΋ߟ͑ΒΕΔɽ. ৅ VM ͕߈ܸΛड͚ͨͱͯ͠΋ͦͷதͰ IDS ͕ಈ࡞ͯ͠. ຊߘͰ͸ɼ‫ࢹ؂‬ର৅ VM ͕ಈ࡞͍ͯ͠ΔΫϥ΢υͱ͸ผ. ͍ͳ͍ͨΊ IDS Λ߈ܸ͞ΕΔ‫ڪ‬Ε͸ͳ͍ɽҰํɼΦϑϩʔ. ͷϗετʹ IDS ΛΦϑϩʔυ͠ɼωοτϫʔΫ‫ܦ‬༝Ͱ҆શ. υઌͷ؅ཧ VM Ͱ͸ IDS Ҏ֎ͷγεςϜΛͰ͖Δ͚ͩಈ. ʹ‫ࢹ؂‬ର৅ VM Λ‫͖Ͱࢹ؂‬ΔΑ͏ʹ͢ΔγεςϜ Remote-. ࡞ͤ͞ͳ͍Α͏ʹ͢Δ͜ͱͰɼ߈ܸΛड͚ʹ͘͘͢Δ͜ͱ. Trans ΛఏҊ͢ΔɽRemoteTrans ͸ɼIDS Λ৴པͰ͖Δϗ. ͕Ͱ͖Δɽ. ετ্Ͱಈ࡞ͤ͞Δ͜ͱʹΑΓɼIDS ͕ఀࢭ͞ΕͨΓվ͟. Φϑϩʔυ͞Εͨ IDS ͸‫ࢹ؂‬ର৅ VM ͷϝϞϦΛղੳ. Μ͞ΕͨΓ͢ΔͷΛ๷͙͜ͱ͕Ͱ͖Δɽ·ͨɼIDS ͱΫϥ. ͯ͠৘ใΛऔಘ͢Δ͜ͱͰ‫ࢹ؂‬Λߦ͏ɽྫ͑͹ɼ‫ࢹ؂‬ର৅. ΢υ಺ͷԾ૝ϚγϯϞχλʢVMMʣͷؒͰ੔߹ੑνΣο. VM ʹѱҙͷ͋Δϓϩηε͕ಈ͍͍ͯͳ͍͔Ͳ͏͔Λ‫ࢹ؂‬. ΫΛߦ͏͜ͱʹΑΓɼཁ‫ࢹ؂ͨ͠ٻ‬ର৅ VM ͷσʔλ͕ਖ਼. ͢Δʹ͸ɼΧʔωϧϝϞϦ্ʹ͋ΔϓϩηεϦετͷઌ಄. ͘͠औಘͰ͖͓ͯΓɼσʔλͷ಺༰΋վ͟Μ͞Ε͍ͯͳ͍. ͔Βϓϩηε৘ใΛॱ൪ʹऔಘ͢Δɽͦͯ͠ɼϓϩηεͷ. ͜ͱΛ֬ೝ͢ΔɽVMM ͸ϦϞʔτΞςεςʔγϣϯͳͲ. ໊લ΍ॴ༗ऀͳͲΛνΣοΫͨ͠ΓɼϓϩηεͷϝϞϦ. Λ༻͍Δ͜ͱͰਖ਼͘͠ಈ࡞͢Δ͜ͱΛอূ͢Δɽ. Λௐ΂ͨΓ͢Δ͜ͱͰҟৗͷ༗ແΛ‫ࠪ͢ݕ‬Δɽଞʹ΋ɼ‫؂‬. զʑ͸ RemoteTrans Λ Xen 4.1.3 [2] ʹ࣮૷ͨ͠ɽΫϥ. ࢹର৅ VM ͷσΟεΫΛ‫ͨࠪ͠ݕ‬Γɼૹड৴͢Δωοτ. ΢υ֎෦ͷ‫ࢹ؂‬ϗετͰ RemoteTrans ϥϯλΠϜ͓Αͼ. ϫʔΫύέοτΛղੳ͢Δ IDS ΋Φϑϩʔυ͢Δ͜ͱ͕Ͱ. IDS Λಈ࡞ͤ͞ɼ؅ཧ VM ্ͷ RemoteTrans αʔόͱ௨. ͖Δɽ. ৴͢Δɽ·ͨɼTranscall [3] Λ RemoteTrans ʹରԠͤ͞ɼ. IDS Φϑϩʔυख๏ΛΫϥ΢υʹద༻͢Δࡍͷ໰୊఺͸ɼ. ‫ࢹ؂‬ϗετ্Ͱ͍͔ͭ͘ͷ‫ط‬ଘͷ IDS Λಈ͔͢͜ͱ͕Ͱ͖. Ϋϥ΢υͷ؅ཧऀ͸ৗʹ৴པͰ͖Δͱ͸‫ݶ‬Βͳ͍ͱ͍͏͜. ͍ͯΔɽ‫ࢹ؂‬ର৅ VM ͷΧʔωϧσʔλ͔Β Shadow proc. ͱͰ͋ΔɽΫϥ΢υ্ͷ VM ͸ϚΠάϨʔγϣϯͰҠಈ͢. ϑΝΠϧγεςϜΛߏங͢Δ࣮‫ݧ‬Λߦ͍ɼϦϞʔτͷ VM. Δ͜ͱ͕͋ΓɼηΩϡϦςΟҙࣝͷ௿͍γεςϜ؅ཧऀͷ. ͷ৘ใΛऔಘͰ͖͍ͯΔ͜ͱɼ௨৴σʔλͷվ͟ΜΛ‫ݕ‬஌. ͍ΔσʔληϯλͰ VM ͕ಈ࡞͢ΔՄೳੑ΋͋Δɽ͜ͷΑ. Ͱ͖Δ͜ͱΛ֬ೝͨ͠ɽ·ͨɼσʔλͷऔಘʹ͸ैདྷͷΦ. ͏ͳ‫Ͱڥ؀‬؅ཧ VM ʹ੬ऑੑ͕͋Δ৔߹ɼ֎෦͔Βͷ߈ܸ. ϑϩʔυख๏ͷ໿ 15 ഒͷ͕͔͔࣌ؒΔ͜ͱ͕෼͔ͬͨɽ. ऀʹΑͬͯ؅ཧ VM ͷ੍‫͕ޚ‬ୣΘΕΔ‫ڪ‬Ε͕͋Δɽ·ͨɼ. ҎԼɼ2 ষͰ IaaS ‫ܕ‬Ϋϥ΢υͰ IDS ΦϑϩʔυΛߦ͏ ৔߹ͷ໰୊఺ʹ͍ͭͯड़΂ɼ3 ষͰ͸ RemoteTrans ʹ͍ͭ. Ϋϥ΢υ؅ཧऀʹѱҙ͕͋ͬͨ৔߹ɼ؅ཧ VM ʹϩάΠϯ ͯ͠༰қʹෆਖ਼Λߦ͏͜ͱ͕Ͱ͖Δɽ. ͯड़΂Δɽ4 ষͰ࣮૷ͷৄࡉʹ͍ͭͯड़΂ɼ5 ষͰ͸࣮‫ݧ‬. ͦͷͨΊɼΦϑϩʔυͨ͠ IDS ͕ਖ਼ৗʹಈ࡞͢Δ͜ͱΛ. ʹ͍ͭͯड़΂Δɽ6 ষͰؔ࿈‫͍ͯͭʹڀݚ‬ड़΂ɼ7 ষͰຊ. อূ͢Δ͜ͱ͸Ͱ͖ͳ͍ɽ؅ཧ VM ʹ৵ೖͨ͠߈ܸऀ΍ѱ. ߘΛ·ͱΊΔɽ. 2. IaaS ‫ܕ‬Ϋϥ΢υʹ͓͚Δ IDS Φϑϩʔυ. ҙΛ࣋ͬͨ؅ཧऀ͸ɼIDS Λఀࢭͤ͞Δ͜ͱͰ৵ೖ‫ݕ‬஌Λ ճආ͢Δ͜ͱ͕Ͱ͖Δɽ·ͨɼIDS Λվ͟Μ͢Δ͜ͱͰɼ ѱҙ͋ΔϓϩηεΛ‫ݕ‬ग़͠ͳ͍Α͏ʹ͢Δ͜ͱ΋Ͱ͖Δɽ. IDS Λ҆શʹಈ࡞ͤ͞ΔͨΊʹɼVM Λ༻͍ͨ IDS Φϑ. IDS Λվ͟Μ͠ͳ͘ͱ΋ɼIDS ͕‫ࢹ؂‬ର৅ VM ͷϝϞϦྖ. ϩʔυख๏͕ఏҊ͞Ε͍ͯΔ [1]ɽ͜ͷख๏͸ɼਤ 1 ͷΑ. ҬΛࢀর͢ΔࡍʹɼࢀরઌΛมߋ͢Δ͚ͩͰ΋ɼIDS ͷ‫ڍ‬. ͏ʹ‫ࢹ؂‬ର৅γεςϜ͕ಈ࡞͍ͯ͠Δ VM ͱಉ͡ϗετ. ಈΛม͑ͯແྗԽ͢Δ͜ͱ͕Ͱ͖Δɽ. ্ͷผͷ VM ʹ IDS ΛΦϑϩʔυ͠ɼγεςϜͷ֎ଆ͔. Ϋϥ΢υ಺Ͱ҆શʹ IDS ΦϑϩʔυΛߦ͑ΔΑ͏ʹ͢Δ. Β‫͢ࢹ؂‬Δख๏Ͱ͋ΔɽIDS Λಈ࡞ͤ͞Δ VM ͱͯ͠͸ɼ. ͨΊʹɼSelf-Service CloudʢSSC) [5] ͕ఏҊ͞Ε͍ͯΔɽ. ⓒ 2013 Information Processing Society of Japan. 2.

(3) 情報処理学会研究報告 IPSJ SIG Technical Report. Vol.2013-OS-126 No.20 2013/8/1. SSC Ͱ͸ɼIDS ΛΦϑϩʔυͨ͠ VM ͸‫ࢹ؂‬ର৅ VM ͷ Ϣʔβͷ؅ཧԼʹ͋ΓɼΫϥ΢υͷ؅ཧऀͰ͋ͬͯ΋‫ׯ‬ব ͢Δ͜ͱ͕Ͱ͖ͳ͍ɽ͔͠͠ɼVMM ʹՃ͑ͯɼ͜ͷ VM ΋Ϋϥ΢υ಺Ͱ৴པ͢Δ෦෼ͱ͢Δඞཁ͕͋ΔɽVMM ͱ ൺ΂ͯɼVM ಺Ͱ͸ OS Λ‫ؚ‬ΊͯΑΓෳࡶͳγεςϜ͕ಈ ࡞͍ͯ͠ΔͨΊɼͦͷ੬ऑੑΛ߈ܸ͞ΕΔ‫ݥة‬ੑ͕ߴ͘ ͳΔɽ. 3. RemoteTrans ਤ 2 RemoteTrans ͷγεςϜߏ੒. ຊߘͰ͸ɼ‫ࢹ؂‬ର৅ VM ͕ಈ࡞͍ͯ͠ΔΫϥ΢υͱ͸ผ ͷϗετʹ IDS ΛΦϑϩʔυ͠ɼωοτϫʔΫ‫ܦ‬༝Ͱ҆શ ʹ‫ࢹ؂‬ର৅ VM Λ‫͖Ͱࢹ؂‬ΔΑ͏ʹ͢ΔγεςϜ Remote-. Ϛγϯͷϝϯςφϯε࣌΋‫ࢹ؂‬Λ‫ܧ‬ଓ͢Δ͜ͱ͕Ͱ͖Δɽ. Trans ΛఏҊ͢ΔɽϢʔβ͕؅ཧ͍ͯ͠Δ৴པͰ͖Δϗε τ্Ͱ IDS Λಈ࡞ͤ͞Δ͜ͱʹΑͬͯɼIDS ͕ఀࢭ͞Ε ͨΓվ͟Μ͞ΕͨΓ͢Δ͜ͱΛ๷͙͜ͱ͕Ͱ͖ΔɽIDS ͱ. 3.3 VM ͷ‫ࢹ؂‬ RemoteTrans ϥϯλΠϜ͕Ϋϥ΢υ಺ͷ RemoteTrans. Ϋϥ΢υ಺ͷ VMM ͷؒͰ੔߹ੑνΣοΫΛߦ͏͜ͱͰɼ. αʔό‫ܦ‬༝Ͱ VMM ಺ͷ RemoteTrans ϞδϡʔϧʹΞΫ. IDS ͕ࢀর͢Δσʔλͷվ͟ΜΛ‫ݕ‬ग़͢Δ͜ͱ͕Ͱ͖Δɽ. ηε͢Δ͜ͱʹΑͬͯɼIDS ͸ϦϞʔτͷ‫ࢹ؂‬ର৅ VM ͷ ৘ใΛࢀর͢Δ͜ͱ͕Ͱ͖ΔɽIDS ͕‫ࢹ؂‬ର৅ VM ͷϝϞ. 3.1 ‫ڴ‬ҖϞσϧ. ϦσʔλΛࢀর͠Α͏ͱͨ࣌͠ɼͦͷσʔλͷԾ૝ΞυϨε. ຊߘͰ͸֎෦͔Βͷ߈ܸऀ΍ѱҙͷ͋ΔΫϥ΢υ؅ཧऀ. ͱσʔλαΠζ͔ΒͳΔϦΫΤετΛ RemoteTrans ϥϯλ. ʹΑͬͯ؅ཧ VM ͕ѱ༻͞ΕΔ͜ͱΛ૝ఆ͍ͯ͠ΔɽIaaS. ΠϜʹૹΔɽRemoteTrans ϥϯλΠϜ͕ϦΫΤετΛωο. ϓϩόΠμࣗମ͸৴པ͠ɼVMM ΍ϋʔυ΢ΣΞΛ؅ཧ͢. τϫʔΫ‫ܦ‬༝Ͱ RemoteTrans αʔόʹૹΔͱɼVMM ಺ͷ. Δগ਺ͷ؅ཧऀ΋৴པ͢Δɽ͔͠͠ɼ؅ཧ VM ͰϢʔβ. RemoteTrans Ϟδϡʔϧ͕‫ͼݺ‬ग़͞ΕΔɽRemoteTrans. VM Λ೔ৗతʹ؅ཧ͍ͯ͠ΔҰൠͷγεςϜ؅ཧऀ͸৴. Ϟδϡʔϧ͸ɼϦΫΤετ͞ΕͨԾ૝ΞυϨεʹ͋Δσʔ. པ͠ͳ͍ɽ·ͨɼVMM ʹ੬ऑੑ͸ͳ͍΋ͷͱ͠ɼϋʔυ. λΛࢦఆ͞ΕͨαΠζ෼͚ͩ‫ࢹ؂‬ର৅ VM ͷϝϞϦ͔Βऔ. ΢ΣΞʹ෺ཧతʹΞΫηε͢Δ߈ܸ͸૝ఆ͠ͳ͍ɽIDS Λ. ಘ͠ɼRemoteTrans αʔόʹฦ͢ɽ͜ͷσʔλ͸ɼϨεϙ. Φϑϩʔυ͢ΔϢʔβͷ‫ࢹ؂‬ϗετ͸ਖ਼͘͠؅ཧ͞Ε͍ͯ. ϯεͱͯ͠ RemoteTrans ϥϯλΠϜʹฦ͞ΕɼIDS ͕ࢀ. Δ΋ͷͱ͠ɼ‫ࢹ؂‬ϗετ͕߈ܸΛड͚Δ͜ͱ͸ߟ͑ͳ͍ɽ. রͰ͖ΔΑ͏ʹͳΔɽ. RemoteTrans Ͱ͸ɼVMCrypt [6] ΍ηΩϡΞͳ࣮ߦ‫؀‬ 3.2 γεςϜߏ੒. ‫[ ڥ‬7] Λ༻͍ͯ‫ࢹ؂‬ର৅ VM ͷϝϞϦΛ҉߸Խ͢Δ͜ͱΛ. RemoteTrans Λ༻͍ͯ IDS ΦϑϩʔυΛߦ͏৔߹ͷγ. ૝ఆ͍ͯ͠ΔͨΊɼVMM ಺Ͱ VM ͷϝϞϦσʔλΛऔ. εςϜߏ੒Λਤ 2 ʹࣔ͢ɽΫϥ΢υ֎ͷ‫ࢹ؂‬ϗετ্Ͱ. ಘ͢Δɽ͞ΒʹɼVMM ಺ͷ RemoteTrans Ϟδϡʔϧ͸. RemoteTrans ϥϯλΠϜΛಈ࡞ͤ͞ɼ͜ͷϥϯλΠϜ্. ϦΫΤετͱϨεϙϯεʹର͢Δվ͟Μͷ‫ݕ‬ग़΋ߦ͏ɽ͜. Ͱ IDS Λ࣮ߦ͢ΔɽҰํɼΫϥ΢υ಺Ͱ͸ RemoteTrans. ͷ੔߹ੑνΣοΫʹ͍ͭͯ͸ 3.4 અͰड़΂ɼΫϥ΢υ಺ͷ. αʔόΛ‫ࢹ؂‬ର৅ VM ͕ಈ࡞͍ͯ͠Δϗετͷ؅ཧ VM. VMM Λ৴པ͢ΔͨΊͷख๏ʹ͍ͭͯ͸ 3.5 અͰड़΂Δɽ. Ͱಈ࡞ͤ͞ΔɽΫϥ΢υ಺ͷ VMM Ͱ͸ RemoteTrans Ϟ. VMM Ͱ͸σʔλͷऔಘ͚ͩΛߦ͍ɼσʔλͷૹ৴͸ߦΘ. δϡʔϧΛಈ࡞ͤ͞ΔɽIDS ͕ࢀর͢Δ‫ࢹ؂‬ର৅ VM ͷ৘. ͳ͍ɽ͜Ε͸ɼRemoteTrans ϥϯλΠϜͱ VMM ͕௚઀. ใ͸ RemoteTrans ϥϯλΠϜ͕ RemoteTrans αʔόΛ‫ܦ‬. ௨৴Ͱ͖ΔΑ͏ʹ͢ΔͱɼVMM ͕߈ܸΛड͚ΔՄೳੑ͕. ༝ͯ͠ RemoteTrans ϞδϡʔϧʹΞΫηε͢Δ͜ͱͰऔ. ߴ·ΔͨΊͰ͋ΔɽVMM ͕߈ܸΛड͚ΔͱɼIDS ͕ࢀর. ಘ͢Δɽ. ͢Δσʔλͷ੔߹ੑνΣοΫΛແޮԽ͞Εͯ͠·͏‫ڪ‬Ε͕. RemoteTrans ϥϯλΠϜͱ IDS ͸Ϣʔβͷ PC ΍ϓϥ ΠϕʔτɾΫϥ΢υͳͲͷ༷ʑͳ‫͖Ͱߦ࣮Ͱڥ؀‬ΔΑ͏ʹ. ͋Δɽ ؅ཧ VM ্ʹΦϑϩʔυͯ͠ಉҰϗετ্ͷ VM Λ‫؂‬. ͢ΔͨΊʹɼԾ૝ΞϓϥΠΞϯεʢVMʣͱͯ͠ఏ‫͢ڙ‬Δɽ. ࢹ͢ΔΑ͏ʹ։ൃ͞Εͨ IDS ʹ͍ͭͯ͸ɼ‫ࢹ؂‬ର৅ VM ͷ. VM Ͱಈ࡞ͤ͞Δ͜ͱͷར఺͸ IDS Λಈ࡞ͤ͞Δ‫ࠨʹڥ؀‬. σʔλऔಘ෦Λ RemoteTrans ϥϯλΠϜ͕ఏ‫͢ڙ‬Δ API. ӈ͞Εͳ͍͜ͱͰ͋Δɽ‫͕ڥ؀‬มΘΔͱύοέʔδͷ௥Ճ. Λ༻͍ͯॻ͖‫͑׵‬Δ͚ͩͰɼϦϞʔτͷ VM Λ‫͢ࢹ؂‬Δ͜. ΍ IDS ͷॻ͖‫Ͳͳ͑׵‬ΛߦΘͳ͚Ε͹ͳΒͳ͍Մೳੑ͕͋. ͱ͕ՄೳͱͳΔɽ·ͨɼVM Shadow [3] Λ RemoteTrans. Δ͕ɼVM Ͱ͋Ε͹Ͳ͜Ͱ΋ͦͷ··࣮ߦ͢Δ͜ͱ͕Ͱ͖. ʹରԠͤ͞Δ͜ͱʹΑΓɼ‫ط‬ଘͷ IDS Λಈ࡞ͤ͞Δ͜ͱ΋. Δɽ͞ΒʹɼVM ͷϚΠάϨʔγϣϯΛߦ͏͜ͱͰɼ෺ཧ. ՄೳͱͳΔɽVM Shadow ͱ͸ɼ‫ط‬ଘͷ IDS ʹमਖ਼ΛՃ͑. ⓒ 2013 Information Processing Society of Japan. 3.

(4) 情報処理学会研究報告 IPSJ SIG Technical Report. ਤ 3. Vol.2013-OS-126 No.20 2013/8/1. RemoteTrans ʹରԠͨ͠ VM Shadow ਤ 4 ੔߹ੑνΣοΫ. 3.5 ϦϓϨΠ߈ܸରࡦ Δ͜ͱͳ͘Φϑϩʔυͯ͠ಈ࡞ͤ͞ΒΕΔΑ͏ʹ͢ΔͨΊ. IDS ͕ࢀর͢ΔσʔλΛվ͟Μ͢Δखஈͱͯ͠ɼϦϓϨ. ͷ࣮ߦ‫͋Ͱڥ؀‬Δɽਤ 3 ʹ VM Shadow Λ༻͍ͨ৔߹ͷߏ. Π߈ܸ΋ߟ͑ΒΕΔɽϦϓϨΠ߈ܸͱ͸ɼҎલʹ௨৴ͨ͠. ੒Λࣔ͢ɽ. ϦΫΤετͱϨεϙϯεΛอଘ͓͖ͯ͠ɼಉ͡ϦΫΤετ ͕ૹΒΕͨ࣌ʹอଘ͓͍ͯͨ͠ϨεϙϯεΛฦ͢߈ܸͰ͋. 3.4 ‫ࢹ؂‬σʔλͷ੔߹ੑνΣοΫ. Δɽ߈ܸͷྫͱͯ͠͸ɼIDS ͕ਖ਼ৗ࣌ͷϓϩηε৘ใΛೖ. RemoteTrans ΁ͷ߈ܸͱͯ͠ɼRemoteTrans ϥϯλΠ. ख͢Δࡍʹɼ߈ܸऀ͸ϦΫΤετͱϨεϙϯεͷ૊Λอଘ. Ϝ͔Β RemoteTrans αʔό΁ͷϦΫΤετ͓ΑͼͦͷϨ. ͓ͯ͘͠ɽͦͷ‫ޙ‬ɼѱҙͷ͋ΔϓϩηεΛ‫ࢹ؂‬ର৅ VM Ͱ. εϙϯεͷվ͟Μ͕ߟ͑ΒΕΔɽ௨৴࿏͕҉߸Խ͞Ε͍ͯ. ಈ࡞ͤ͞ɼIDS ͕ϓϩηε৘ใΛೖख͢Δࡍʹ͸ɼอଘ͠. ͨͱͯ͠΋ɼΫϥ΢υ಺ͷ؅ཧ VM ্Ͱ͜ΕΒͷվ͟Μ͕. ͓͍ͯͨϨεϙϯεΛฦ͢ɽ͜ΕʹΑΓɼIDS ʹਖ਼ৗ࣌ͷ. ߦΘΕΔ‫ݥة‬ੑ͕͋Δɽ΋͠ɼϦΫΤετ͕վ͟Μ͞Εͨ. ϓϩηε৘ใΛࢀরͤ͞Δ͜ͱ͕Ͱ͖Δɽ߈ܸऀ͸ϦΫΤ. ৔߹ɼࢦఆ͞ΕͨԾ૝ΞυϨεΛมߋ͠ɼIDS ͕ࢀর͠Α. ετ͞ΕΔΞυϨεͱσʔλαΠζɼ͓ΑͼɼϨεϙϯε. ͏ͱ͍ͯ͠Δσʔλͱ͸ҟͳΔσʔλΛฦͤ͞Δ͜ͱ͕Ͱ. Ͱฦ͞ΕΔσʔλΛվ͟Μ͢Δඞཁ͕ͳ͍ͨΊɼMAC Λ. ͖ͯ͠·͏ɽྫ͑͹ɼϓϩηεϦετΛͨͲΔͨΊʹ࣍ͷ. ༻͍ͯ΋͜ͷΑ͏ͳ߈ܸΛ‫ݕ‬஌͢Δ͜ͱ͸Ͱ͖ͳ͍ɽ. ϓϩηεͷΞυϨεΛऔಘ͢ΔϦΫΤετ͕ૹΒΕ͖ͯͨ. RemoteTrans Ͱ͸ɼϦϓϨΠ߈ܸରࡦͱͯ͠ϊϯεͱ‫ݺ‬. ৔߹ɼ࣍ͷ࣍ͷϓϩηεΛࢦ͢ΞυϨεʹॻ͖‫͑׵‬Δ͜ͱ. ͹ΕΔཚ਺Λ‫ؚ‬Ίͯ MAC ͷ‫ࢉܭ‬Λߦ͏ɽ·ͣɼRemote-. ͕Ͱ͖Δɽ͜ΕʹΑΓѱҙͷ͋Δϓϩηεͷ৘ใΛӅ͞Ε. Trans ϥϯλΠϜ͸ΞυϨεͱσʔλαΠζʹՃ͑ͯϊϯ. ͯ͠·͏‫ڪ‬Ε͕͋Δɽಉ༷ʹɼϨεϙϯεΛվ͟Μ͞ΕΔ. ε΋ RemoteTrans αʔό΁ૹΔɽRemoteTrans Ϟδϡʔ. ͱɼ࣮ࡍͷσʔλͱ͸ҟͳΔσʔλΛฦ͢͜ͱ͕Ͱ͖Δɽ. ϧ͸ϊϯε΋‫ؚ‬ΊͯϦΫΤετͱऔಘͨ͠σʔλ͔Β MAC. ѱҙͷ͋Δϓϩηεͷ৘ใΛॻ͖‫͑׵‬Δ͜ͱͰɼIDS ʹΑ. Λ‫͠ࢉܭ‬ɼRemoteTrans ϥϯλΠϜʹฦ͢ɽRemoteTrans. Δ‫ݕ‬஌Λճආ͞Εͯ͠·͏‫ڪ‬Ε͕͋Δɽ. ϥϯλΠϜ͸อଘ͓͍ͯͨ͠ϊϯε΋‫ؚ‬Ίͯ MAC Λ‫ࢉܭ‬. ͦ͜ͰɼRemoteTrans Ͱ͸ϦΫΤετ͓ΑͼϨεϙϯε. ͠ɼड৴ͨ͠ MAC ͱൺֱΛߦ͏ɽϊϯεΛ MAC ͷ‫ࢉܭ‬. ͕վ͟Μ͞Ε͍ͯͳ͍͜ͱΛอূ͢ΔͨΊʹɼਤ 4 ͷΑ. ʹ‫ؚ‬ΊΔ͜ͱʹΑͬͯɼҎલʹ࢖༻ͨ͠ϦΫΤετͱϨε. ͏ʹ੔߹ੑνΣοΫΛߦ͏ɽVMM ಺ͷ RemoteTrans Ϟ. ϙϯεͷ૊Λ࠶ར༻͢Δ͜ͱ͸Ͱ͖ͳ͘ͳΓɼϦϓϨΠ߈. δϡʔϧ͕ RemoteTrans ϥϯλΠϜ͔ΒͷϦΫΤετΛ. ܸΛ๷͙͜ͱ͕Ͱ͖Δɽ. ड͚औΔͱɼϦΫΤετʹ‫·ؚ‬ΕΔԾ૝ΞυϨεͱσʔλ αΠζɼͦΕʹ‫ࢹ؂͍ͯͮج‬ର৅ VM ͔Βऔಘͨ͠σʔ. 3.6 VMM ͷ‫׬‬શੑνΣοΫ. λ͔ΒϝοηʔδೝূίʔυʢMACʣΛ‫͢ࢉܭ‬ΔɽRe-. RemoteTrans Ͱ͸ɼΫϥ΢υ಺Ͱਖ਼͍͠ VMM ͕ಈ࡞. moteTrans αʔό͕औಘͨ͠σʔλͱͱ΋ʹ͜ͷ MAC Λ. ͍ͯ͠Δ͜ͱΛ֬ೝ͢ΔͨΊʹɼϦϞʔτΞςεςʔγϣ. ฦ͢ͱɼRemoteTrans ϥϯλΠϜͰ΋อଘ͓͍ͯͨ͠Ξ. ϯΛ༻͍Δɽαʔόͷ‫ى‬ಈ࣌ʹ VMM ͷϋογϡ஋Λ‫ܭ‬. υϨεͱσʔλαΠζɼड৴ͨ͠σʔλ͔Β MAC Λ‫ࢉܭ‬. ࢉ͠ɼΫϥ΢υͷ֎ͷ৴པͰ͖Δ‫ূݕ‬αʔόʹॺ໊෇͖. ͠ɼड৴ͨ͠ MAC ͱൺֱΛߦ͏ɽMAC ͕Ұக͠ͳ͚Ε. Ͱૹ৴͢Δɽϋογϡ஋ͷ‫ࢉܭ‬͸଱λϯύੑϋʔυ΢Σ. ͹ɼϦΫΤετ͔ϨεϙϯεͷͲͪΒ͔͕վ͟Μ͞Εͨ. ΞʢTPM) Λ༻͍ͯߦ͏͜ͱͰɼվ͟ΜΛ๷͙ɽ‫ূݕ‬αʔ. ͱΈͳ͢ɽ߈ܸऀ͕ MAC Λ‫͍ͳ͖Ͱࢉܭ‬Α͏ʹ͢ΔͨΊ. ό͸ॺ໊ͷଥ౰ੑΛ֬ೝ͔ͯ͠Βɼϋογϡ஋Λ‫ͯ͠ূݕ‬. ʹɼMAC ͷ‫͍༻ʹࢉܭ‬Δ‫ݤ‬͸ɼRemoteTrans Ϟδϡʔϧ. VMM ͷ‫׬‬શੑΛνΣοΫ͢Δɽ‫ى‬ಈ࣌ʹਖ਼͍͠ VMM ͕. ͱ RemoteTrans ϥϯλΠϜ͚ͩͰ‫ڞ‬༗͢Δɽ. ಈ࡞͍ͯ͠Δ͜ͱ͕֬ೝͰ͖Ε͹ɼVMM ͷϝϞϦอ‫ػޢ‬. ⓒ 2013 Information Processing Society of Japan. 4.

(5) 情報処理学会研究報告 IPSJ SIG Technical Report. ೳʹΑΓ࣮ߦ࣌ͷ VMM ͷվ͟Μ΋๷͙͜ͱ͕Ͱ͖Δɽ. Vol.2013-OS-126 No.20 2013/8/1. ࢓༷ͱͳ͍ͬͯΔ͕ɼ‫ࡏݱ‬ͷ࣮૷Ͱ͸ࣄલʹ‫ݤ‬Λ‫ڞ‬༗ͯ͠ ͍Δɽ. 3.7 ‫ݤ‬؅ཧ RemoteTrans Ͱ͸ɼMAC Λ‫͢ࢉܭ‬Δͱ͖ʹ༻͍Δ‫ڞ‬༗. 4.2 RemoteTrans αʔό. ‫ݤ‬Λ RemoteTrans ϥϯλΠϜͱ VMM ಺ͷ RemoteTrans. RemoteTrans αʔό͸ɼRemoteTrans ϥϯλΠϜ͔ΒϦ. ϞδϡʔϧͷؒͰ҆શʹ‫ڞ‬༗͢ΔɽRemoteTrans ϥϯλ. ΫΤετΛड͚ͱ͔ͬͯΒɼϋΠύʔίʔϧΛ༻͍ͯ VMM. ΠϜ͕ RemoteTrans αʔόʹΞΫηε͢Δࡍʹ઀ଓઌͷ. ಺ͷ RemoteTrans Ϟδϡʔϧʹड৴ͨ͠ϦΫΤετΛૹ. VMM ͷެ։‫ݤ‬Λ‫ݤ‬αʔό͔Βऔಘ͢Δɽ͜ͷ‫ݤ‬αʔό. ΔɽRemoteTrans ϞδϡʔϧͰ͸·ͣɼड͚औͬͨԾ૝Ξ. ͸৴པͰ͖Δ΋ͷͱ͠ɼ͋Β͔͡Ίਖ਼౰ͳ VMM ͷެ։. υϨεΛϚγϯϝϞϦͷϑϨʔϜ൪߸ʢMFNʣʹม‫͢׵‬Δɽ. ‫ొ͕ݤ‬࿥͞Ε͍ͯΔ΋ͷͱ͢ΔɽRemoteTrans ϥϯλΠ. rt get data ؔ਺͔ΒͷϦΫΤετͷ৔߹ɼΧʔωϧͷϖʔ. ϜͰੜ੒ͨ͠‫ڞ‬༗‫ݤ‬Λ VMM ͷެ։‫ݤ‬Λ༻͍ͯ҉߸Խ͠ɼ. δςʔϒϧΛͨͲΔ͜ͱͰม‫׵‬Λߦ͏ɽrt get proc data. RemoteTrans αʔόʹૹΔɽRemoteTrans αʔό͸҉߸. ؔ਺͔ΒͷϦΫΤετͷ৔߹ɼPGD ͕ࢦ͢ϓϩηεͷϖʔ. Խ͞Εͨެ։‫ݤ‬Λ RemoteTrans ϞδϡʔϧʹૹΓɼVMM. δςʔϒϧΛͨͲΔ͜ͱͰม‫׵‬Λߦ͏ɽ࣍ʹɼ‫͚ͨͭݟ‬. ʹ͋Δൿີ‫ݤ‬Λ༻͍ͯ෮߸Խ͢Δ͜ͱͰ IDS ͷ࣮ߦ͝ͱʹ. MFN ͕ࢦ͢ϝϞϦϖʔδΛϚοϓͯ͠ඞཁͳσʔλΛऔ. ҟͳΔ‫ڞ‬༗‫ݤ‬Λ࢖͏ɽVMM ͷൿີ‫ݤ‬͸ TPM Λ༻͍ͯ෧. ಘ͢ΔɽϦΫΤετ͞Εͨσʔλ͕ϖʔδ‫ڥ‬քʹ·͕ͨΔ. ҹʢ҉߸Խʣ͓ͯ͘͜͠ͱͰɼਖ਼͍͠ VMM ͕‫ى‬ಈͨ͠ͱ. ৔߹ɼ࿈ଓ͢ΔϖʔδͷσʔλΛϚοϓ͠σʔλΛऔಘ. ͖͚ͩ෧ҹΛղআʢ෮߸Խʣ͢Δ͜ͱ͕Ͱ͖Δɽ. ͢Δɽ. 4. ࣮૷. ͦͷ‫ޙ‬ɼϦΫΤετͱऔಘͨ͠σʔλ͔Β MAC Λ‫͢ࢉܭ‬ ΔɽMAC ͷ‫ࢉܭ‬͸ϋογϡؔ਺ͷ SHA-1 Λ༻͍ΔɽRe-. զʑ͸ RemoteTrans Λ Xen 4.1.3 ʹ࣮૷ͨ͠ɽಛ‫ݖ‬Λ. moteTrans Ϟδϡʔϧ͕औಘͨ͠σʔλͱ‫ ͨ͠ࢉܭ‬MAC. ͍࣋ͬͯΔ VM Ͱ͋ΔυϝΠϯ 0 Ͱ RemoteTrans αʔό. Λ RemoteTrans αʔόʹฦ͢ͱɼRemoteTrans αʔό͸. Λಈ࡞ͤ͞ɼ௨ৗͷ VM Ͱ͋ΔυϝΠϯ U Λ‫ࢹ؂‬ର৅ VM. ͦΕΛϨεϙϯεͱͯ͠ RemoteTrans ϥϯλΠϜʹૹ৴. ͱͨ͠ɽ‫ࢹ؂‬ର৅ VM ͷ OS ͱͯ͠ Linux 2.6.27.35 Λ༻. ͢Δɽ. ͍ͨɽ. 4.3 Transcall ͷ RemoteTrans ରԠ 4.1 RemoteTrans ϥϯλΠϜ. Transcall ͸ɼ‫ط‬ଘͷ IDS ΛΦϑϩʔυ͢ΔͨΊͷ࣮ߦ‫؀‬. RemoteTrans ϥϯλΠϜͰ͸ɼϦϞʔτͷ VM ͔Βσʔ. ‫ ڥ‬VM Shadow Λఏ‫͢ڙ‬ΔγεςϜͰ͋ΔɽTranscall ͷ. λΛऔಘ͢ΔͨΊʹ rt get data ؔ਺ͱ rt get proc data ؔ. ߏ੒Λਤ 5 ʹࣔ͢ɽTranscall ͸γεςϜίʔϧɾΤϛϡ. ਺Λఏ‫͢ڙ‬Δɽ. Ϩʔλͱ Shadow ϑΝΠϧγεςϜͰߏ੒͞ΕΔɽγες ϜίʔϧɾΤϛϡϨʔλʹΑͬͯ VM Shadow ͷதͰಈ. rt get data ‫ࢹ؂‬ର৅ VM ͷΧʔωϧσʔλΛࢀর͢Δ ͱ͖ʹ‫ͼݺ‬ग़͢ɽҾ਺ͱͯ͠Ծ૝ΞυϨεɼσʔλα. ࡞͢Δϓϩηε͕ൃߦ͢ΔγεςϜίʔϧΛΤϛϡϨʔ τ͠ɼ‫ࢹ؂‬ର৅ VM ͷΧʔωϧ಺ͷ৘ใΛฦ͢ɽͨͩ͠ɼ. ΠζΛऔΓɼऔಘͨ͠σʔλΛ֬อͨ͠ϝϞϦʹ֨ೲ. Φϑϩʔυઌ VM ͷ‫ػ‬ೳΛར༻Ͱ͖ΔϝϞϦ؅ཧͳͲͷ. ͠ɼͦͷΞυϨεΛฦ͢ɽ. γεςϜίʔϧ͸ɼͦͷ VM ಺ͷ OS ʹରͯ͠ൃߦ͢Δɽ. rt get proc data ‫ࢹ؂‬ର৅ VM ͷதͷϓϩηεͷΧʔ. Shadow ϑΝΠϧγεςϜ͸ Transcall ࣮ߦ࣌ʹ‫ࢹ؂‬ର৅. ωϧσʔλΛࢀর͢Δͱ͖ʹ‫ͼݺ‬ग़͢ɽྫ͑͹ɼϓϩ. VM ͷσΟεΫΠϝʔδΛΦϑϩʔυઌ VM ʹϚ΢ϯτ͢. ηεΛ‫ى‬ಈͨ͠ͱ͖ͷίϚϯυϥΠϯ͸ϓϩηεͷϝ. ΔɽͦΕʹΑΓɼ‫ࢹ؂‬ର৅ VM Ͱ࢖ΘΕ͍ͯΔ΋ͷͱಉ͡. ϞϦ্ʹ֨ೲ͞Ε͍ͯΔɽ͜ͷؔ਺͸Ծ૝ΞυϨεͱ. ϑΝΠϧγεςϜΛఏ‫͢ڙ‬Δɽ·ͨɼಛघͳϑΝΠϧγε. σʔλαΠζʹՃ͑ͯɼϓϩηεͷϖʔδάϩʔόϧ. ςϜͱͯ͠ Shadow proc ϑΝΠϧγεςϜ΋ఏ‫͢ڙ‬Δɽ͜. σΟϨΫτϦʢPGD) ͷԾ૝ΞυϨεΛҾ਺ʹऔΓɼ. ͷϑΝΠϧγεςϜ͸‫ࢹ؂‬ର৅ VM ͷ proc ϑΝΠϧγε. औಘͨ͠σʔλ͕֨ೲ͞ΕͨϝϞϦͷΞυϨεΛฦ͢ɽ. ςϜͷ৘ใΛఏ‫͠ڙ‬ɼΧʔωϧͷ‫ࡏݱ‬ͷঢ়ଶ΍‫ߦ࣮ࡏݱ‬த ͷϓϩηε৘ใͳͲΛ‫ؚ‬ΜͰ͍Δɽྫ͑͹ɼps ίϚϯυ΍. RemoteTrans αʔόʹϦΫΤετΛૹΔࡍʹ͸ɼϊϯε. netstat ίϚϯυ͸ proc ϑΝΠϧγεςϜΛࢀর࣮ͯ͠ߦ. ͱͯ͠ੜ੒ͨ͠ཚ਺΋Ұॹʹૹ৴͢ΔɽϨεϙϯε͕ฦ͞. ͞ΕΔɽTranscall Ͱ͸ɼ‫ࢹ؂‬ର৅ VM ͷΧʔωϧϝϞϦ. ΕΔͱ MAC ͷ‫ূݕ‬Λߦ͍ɼड৴ͨ͠ MAC ͷ஋ͱҟͳΔ. ͔Β௚઀৘ใΛऔಘ͢Δ͜ͱͰ proc ϑΝΠϧγεςϜͷ. ৔߹͸ؔ਺ͷฦΓ஋ͱͯ͠ NULL Λฦ͢ɽ. ৘ใΛऔಘ͢Δɽ. ͜ΕΒͷؔ਺Λ࠷ॳʹ‫ͼݺ‬ग़ͨ࣌͠ʹɼRemoteTrans. Transcall Λ RemoteTrans ʹରԠͤ͞ɼ‫ࢹ؂‬ର৅ VM ͷ. αʔόʹ઀ଓ͢Δɽͦͷࡍʹ 3.7 અͷΑ͏ʹ‫ڞ‬༗‫ݤ‬ΛૹΔ. proc ϑΝΠϧγεςϜΛωοτϫʔΫ‫ܦ‬༝ͰऔಘͰ͖ΔΑ. ⓒ 2013 Information Processing Society of Japan. 5.

(6) 情報処理学会研究報告 IPSJ SIG Technical Report. Vol.2013-OS-126 No.20 2013/8/1 ද 1. Shadow proc ϑΝΠϧγεςϜߏங࣌ؒʢඵʣ ࣮ߦ࣌ؒ ैདྷγεςϜ. 1.1. RemoteTrans. 16.4. ਤ 5 Transcall ͷγεςϜߏ੒. ͏ʹͨ͠ɽզʑ͸ϦϞʔτͷϗετʹ‫ط‬ଘͷ IDS ΛΦϑ ϩʔυͰ͖ΔΑ͏ʹ͢Δ͜ͱΛ໨ඪͱ͍ͯ͠Δɽ‫ࡏݱ‬ͷͱ ͜ΖɼγεςϜίʔϧɾΤϛϡϨʔλͱ Shadow proc ϑΝ ΠϧγεςϜΛ RemoteTrans ϥϯλΠϜ্Ͱ࣮ߦͰ͖ɼ‫؂‬ ࢹର৅ VM ͷ proc ϑΝΠϧγεςϜΛωοτϫʔΫ‫ܦ‬༝ Ͱऔಘ͢Δ͜ͱ͕Ͱ͖͍ͯΔɽͦͷͨΊʹɼ‫ࢹ؂‬ର৅ VM. ਤ 6. RemoteTrans ͷ࣮ߦ࣌ؒͷ಺༁ʢඵʣ. ͷϝϞϦΛࢀর͍ͯ͠Δ෦෼Λ RemoteTrans ͕ఏ‫͢ڙ‬Δ. API Λ༻͍ͯॻ͖‫ͨ͑׵‬ɽ‫ࢹ؂‬ର৅ VM ͷԾ૝σΟεΫ ΛࢀরͰ͖ΔΑ͏ʹ͢Δ͜ͱ͸ࠓ‫ޙ‬ͷ՝୊Ͱ͋Δɽ. 5. ࣮‫ݧ‬ ·ͣɼRemoteTrans ʹΑΓϦΫΤετ͓ΑͼϨεϙϯ εͷվ͟Μ͕‫ݕ‬ग़Ͱ͖Δ͜ͱΛ֬ೝ͢Δ࣮‫ݧ‬Λߦͬͨɽ࣍. 5.2 ϦϓϨΠ߈ܸ‫ݕ‬஌ ϦϓϨΠ߈ܸΛ‫ݕ‬஌Ͱ͖Δ͜ͱΛ֬ೝ͢Δ࣮‫ݧ‬Λߦͬͨɽ ϦϓϨΠ߈ܸͱͯ͠ɼҎલʹฦ͞ΕͨϨεϙϯεΛอଘ͠ ͓͖ͯɼ‫ͦͰޙ‬ΕΛ RemoteTrans ϥϯλΠϜʹฦ͢Α͏ ʹͨ͠ɽ࣮‫ݧ‬ͷ݁ՌɼMAC ͕ҰகͤͣɼϦϓϨΠ߈ܸʹ ͓͍ͯ΋Ϩεϙϯεͷվ͟ΜΛ‫ݕ‬஌͢Δ͜ͱ͕Ͱ͖ͨɽ. ʹɼRemoteTrans Λ༻͍ͯϦϞʔτͷ‫ࢹ؂‬ର৅ VM ͷ proc ϑΝΠϧγεςϜͷ৘ใΛऔಘ͠ɼShadow proc ϑΝΠϧ. 5.3 ‫ط‬ଘͷ IDS ͷಈ࡞֬ೝ. γεςϜΛߏங͢Δͷʹ͔͔Δ࣌ؒΛଌఆͨ͠ɽ‫ࢹ؂‬ର৅. RemoteTrans ʹରԠͨ͠ VM Shadow Λ༻͍ͯɼ‫ط‬ଘ. ϗετʹ͸ Intel Core i7 ͷ CPUɼ16GB ͷϝϞϦΛ౥ࡌ. ͷ IDS ͕ಈ࡞͢Δ͜ͱΛ֬ೝ͢Δ࣮‫ݧ‬ΛߦͬͨɽShadow. ͨ͠ϚγϯΛ࢖༻͠ɼVMM ͱͯ͠ Xen 4.1.3 Λಈ࡞ͤ͞. proc ϑΝΠϧγεςϜΛࢀর͢Δ ps ͱ netstat ίϚϯυ. ͨɽRemoteTrans αʔόΛಈ࡞ͤ͞ΔυϝΠϯ 0 ͸ OS ʹ. ͷಈ࡞֬ೝΛߦͬͨͱ͜ΖɼͦΕͧΕ‫ࢹ؂‬ର৅ VM ͷ࣮ߦ. Linux 3.2.0ɼ‫ࢹ؂‬ର৅ VM ͷ OS ʹ͸ Linux 2.6.27.35 Λ. ݁ՌΛฦ͢͜ͱΛ֬ೝͨ͠ɽͨͩ͠ɼnetstat ͷ࣮ߦ݁Ռ. ༻͍ͨɽRemoteTrans ϥϯλΠϜΛಈ࡞ͤ͞Δ‫ࢹ؂‬ϗετ. ͷҰ෦͕ਖ਼͘͠औಘͰ͖͍ͯͳ͔ͬͨɽ. ʹ͸ɼIntel Core i7 ͷ CPUɼ8GB ͷϝϞϦΛ౥ࡌͨ͠Ϛ γϯΛ࢖༻͠ɼOS ʹ͸ Linux 3.2.0 Λ༻͍ͨɽ͜ΕΒͷϗ ετ͸ΪΨϏοτΠʔαωοτɾεΠονͰ઀ଓͨ͠ɽ. 5.4 Shadow proc ϑΝΠϧγεςϜߏங࣌ؒ Shadow proc ϑΝΠϧγεςϜͷߏஙʹ͔͔Δ࣌ؒΛै དྷγεςϜͱ RemoteTrans Λ༻͍ͨγεςϜͱͰൺֱ͠. 5.1 ϦΫΤετ͓ΑͼϨεϙϯεͷվ͟Μ‫ݕ‬஌ RemoteTrans ʹ͓͚ΔϦΫΤετͱϨεϙϯεͷվ͟ Μ͕‫ݕ‬஌Ͱ͖Δ͔Ͳ͏͔Λ֬ೝ͢Δ࣮‫ݧ‬Λߦͬͨɽͦͷͨ. ͨɽ࣮‫݁ݧ‬ՌΛද 1 ʹࣔ͢ɽRemoteTrans Λ༻͍ͨγε ςϜͰ͸ɼैདྷγεςϜͷ 15 ഒఔ౓ͷ͕͔͔࣌ؒͬͯ͠ ·͍ͬͯΔ͜ͱ͕Θ͔Δɽ. ΊʹɼRemoteTrans αʔόʹૹΒΕͯ͘ΔϦΫΤετͱ. ࣍ʹɼߏஙʹ͓͚ΔϘτϧωοΫΛௐ΂ΔͨΊʹ࣮ߦ࣌. RemoteTrans ϥϯλΠϜ΁ฦ͢Ϩεϙϯεͷվ͟ΜΛߦͬ. ؒͷ಺༁Λௐ΂ͨɽRemoteTrans Λ༻͍ͨߏஙͷࡍʹ͸ɼ. ͨɽ۩ମతʹ͸ɼಛఆͷϓϩηε৘ใΛ࣋ͭΞυϨε͕ૹ. σʔλ௨৴ɼϋΠύʔίʔϧΛ༻͍ͨ VMM Ͱͷσʔλ. ΒΕ͖ͯͨ࣌ʹϦΫΤετʹ‫·ؚ‬ΕΔԾ૝ΞυϨεͱσʔ. औಘ͓Αͼ MAC ͷ‫ࢉܭ‬ɼRemoteTrans ϥϯλΠϜ্Ͱ. λαΠζɼϨεϙϯεʹ‫·ؚ‬ΕΔσʔλͷվ͟ΜΛͦΕͧ. ͷ MAC ͷ‫ߦ͕Ͳͳূݕ‬ΘΕΔɽ࣮‫݁ݧ‬ՌΛਤ 6 ʹࣔ͢ɽ. ΕߦͬͨɽRemoteTrans Λ༻͍ͯ proc ϑΝΠϧγεςϜ. ͜ͷ݁ՌΑΓɼ௨৴ʹ 10.5 ඵ͔͔͓ͬͯΓɼ࣮ߦ࣌ؒͷ. ͷऔಘΛߦ͓͏ͱͨ͠ͱ͜ΖɼMAC ͕ҰகͤͣɼϦΫΤ. 64%Λ઎Ί͍ͯΔ͜ͱ͕Θ͔ͬͨɽShadow proc ϑΝΠϧ. ετ·ͨ͸Ϩεϙϯε͕վ͟Μ͞Ε͍ͯΔ͜ͱΛ‫ݕ‬஌͢Δ. γεςϜΛߏங͢ΔͨΊʹσʔλૹड৴͸ 34210 ճߦΘΕ. ͜ͱ͕Ͱ͖ͨɽ. ͍ͯͨɽ. ⓒ 2013 Information Processing Society of Japan. 6.

(7) 情報処理学会研究報告 IPSJ SIG Technical Report. 6. ؔ࿈‫ڀݚ‬ Self-Service CloudʢSSC) [5] ͸ɼΫϥ΢υͷϢʔβ͚ͩ ʹࣗ਎ͷ VM Λ؅ཧ͢Δ‫ݶݖ‬Λ༩͑ɼΫϥ΢υͷ؅ཧऀ ͔Βͷ‫ׯ‬বΛ๷͙ɽϢʔβ͸αʔϏευϝΠϯͱ‫ݺ‬͹ΕΔ. Vol.2013-OS-126 No.20 2013/8/1. σʔλΛ෮߸Խ͢Δ͜ͱͰɼΦϑϩʔυͨ͠ IDS ͷ࣮ߦ͕ ՄೳʹͳΔɽ. 7. ·ͱΊ ຊߘͰ͸ɼ‫ࢹ؂‬ର৅ VM ͕ಈ࡞͍ͯ͠ΔΫϥ΢υͱ͸. VM Λ҆શʹ‫ى‬ಈ͠ɼଞͷ VM Λ‫͢ࢹ؂‬Δ͜ͱ͕Ͱ͖Δɽ. ผͷϗετʹ IDS ΛΦϑϩʔυ͠ɼωοτϫʔΫ‫ܦ‬༝Ͱ. Ϋϥ΢υͷ؅ཧऀ͕αʔϏευϝΠϯͷதͷ IDS Λఀࢭ͠. ҆શʹ‫ࢹ؂‬ର৅ VM Λ‫͖Ͱࢹ؂‬ΔΑ͏ʹ͢ΔγεςϜ Re-. ͨΓվ͟Μͨ͠Γ͢Δ͜ͱ͸Ͱ͖ͳ͍ɽ͔͠͠ɼαʔϏε. moteTrans ΛఏҊͨ͠ɽRemoteTrans ͸ IDS Λ৴པͰ͖. υϝΠϯ಺ͷγεςϜʹ੬ऑੑ͕͋Δͱ߈ܸΛड͚ΔՄೳ. Δϗετ্Ͱಈ࡞ͤ͞Δ͜ͱʹΑΓɼIDS ͷఀࢭɾվ͟. ੑ͕͋Δɽ. ΜΛ๷͙ɽ·ͨɼIDS ͱΫϥ΢υ಺ͷ VMM ͷؒͰ੔߹. CloudVisor [8] ͸ VMM ͷԼʹηΩϡϦςΟϞχλΛಋ. ੑνΣοΫΛߦ͏͜ͱͰɼࢀর͢Δσʔλͷվ͟ΜΛ‫ݕ‬. ೖ͢Δ͜ͱͰɼVMM ΋‫ؚ‬Ίͯ৴པͰ͖ͳ͍Ϋϥ΢υͷத. ग़͢ΔɽRemoteTrans Λ Xen ʹ࣮૷͠ɼϦΫΤετ͓Α. Ͱ΋҆શʹ VM Λಈ࡞ͤ͞Δ͜ͱ͕Ͱ͖ΔɽVM ͕ଞͷ. ͼϨεϙϯεͷվ͟ΜΛ‫ݕ‬஌Ͱ͖Δ͜ͱΛ֬ೝͨ͠ɽ·. VM Λ‫͢ࢹ؂‬Δ‫ػ‬ೳ͸ఏ‫͞ڙ‬Ε͓ͯΒͣɼ؅ཧ VM ͕ VM. ͨɼTranscall Λ RemoteTrans ʹରԠͤ͞Δ͜ͱͰɼ‫ط‬ଘ. ͷϝϞϦΛࢀর͢Δ࣌ʹ͸҉߸Խ͞ΕΔͨΊɼIDS ΛΦϑ. ͷ IDS Λಈ࡞ͤ͞ΒΕΔΑ͏ʹͨ͠ɽ. ϩʔυ͢Δ͜ͱ͸Ͱ͖ͳ͍ɽ. ࠓ‫ޙ‬ͷ՝୊͸σʔλऔಘͷߴ଎ԽͰ͋Δɽ‫ࡏݱ‬͸Ұͭͣ. Copilot [9] ͸Χʔωϧͷ੔߹ੑΛϦϞʔτ͔ΒνΣοΫ. ͭσʔλΛϦΫΤετͯ͠औಘ͍ͯ͠Δ͕ɼҰ‫ׅͯ͠‬औಘ. Ͱ͖ΔγεςϜͰ͋ΔɽPCI ΧʔυΛ༻͍ͯϦϞʔτϗε. Ͱ͖ΔΑ͏ʹ͢Δํ๏͕ߟ͑ΒΕΔɽྫ͑͹ɼ̍ճͷϦΫ. τʹΧʔωϧϝϞϦΛૹΓɼΧʔωϧͷվ͟ΜΛ‫ݕ‬ग़͢Δ. ΤετͰϓϩηεϦετΛͨͲͬͯ͢΂ͯͷϓϩηεσʔ. ͜ͱ͕Ͱ͖Δɽ͔͠͠ɼΫϥ΢υ಺ͷ͢΂ͯͷϗετʹઐ. λΛऔಘ͢Ε͹ɼ௨৴ճ਺Λେ෯ʹ࡟‫͖Ͱݮ‬Δɽ·ͨɼϝ. ༻ͷ PCI ΧʔυΛಋೖ͢Δͷ͸‫࣮ݱ‬తͰ͸ͳ͍ɽ. ϞϦσʔλ͚ͩͰͳ͘ɼσΟεΫσʔλΛऔಘͰ͖ΔΑ͏. HyperCheck [10] ͸ CPU ͷ҆શͳϞʔυͰ͋Δ SMM. ʹ͢Δ͜ͱ΋՝୊ͷҰͭͰ͋ΔɽσΟεΫσʔλ͸ϝϞϦ. Λ࢖ͬͯ VMM ͷϝϞϦΛϦϞʔτϗετʹૹΓɼ‫׬‬શੑ. σʔλͱൺ΂ͯ‫ڊ‬େͰ͋ΔͨΊɼ௨৴ྔΛ‫ݮ‬Β͢޻෉͕ඞ. ͷνΣοΫΛߦ͏γεςϜͰ͋ΔɽϝϞϦΛ҆શʹϦϞʔ. ਢͰ͋Δɽ. τϗετʹૹΔ͜ͱ͕Ͱ͖Δ఺Ͱ RemoteTrans ʹࣅ͍ͯ Δɽ͔͠͠ɼSMM ্ͷίʔυ͸ϦϞʔτϗετ͔ΒͷϦ. ࢀߟจ‫ݙ‬. ΫΤετΛड͚औΔ͜ͱ͕Ͱ͖ͳ͍ͨΊɼఆ‫ظ‬తʹϝϞϦ. [1]. શମΛૹ৴͢Δඞཁ͕͋ΔɽͦͷͨΊɼσʔλ௨৴ྔ͕ଟ ͘ͳΔͱ͍͏໰୊͕͋Δɽ. HyperGuard [11]ɼHyperSentry [12]ɼFlicker [13]ɼSPE. [2]. Observer [14] ͸ɼϋʔυ΢ΣΞͷ‫ػ‬ೳΛ༻͍Δ͜ͱʹΑͬ ͯΫϥ΢υ಺Ͱ҆શʹ IDS Λಈ࡞ͤ͞Δ͜ͱ͕Ͱ͖Δɽ. HyperGuard ͸ SMM ্Ͱ VMM ͷϝϞϦνΣοΫΛߦ ͏ɽHyperSentry ͸ SMM Λར༻ͯ͠ VMM ಺ͷ IDS Λ. [3]. ҆શʹ࣮ߦ͢ΔɽFlicker ͸ Intel TXT ΍ AMD SVM Λ༻. [4]. ͍ͯ҆શʹ IDS Λ࣮ߦ͢ΔɽSPE Observer ͸ Cell/B.E. ͷ Isolation ϞʔυΛ༻͍ͯ SPE ্Ͱ҆શʹ IDS Λ࣮ߦ͢. [5]. Δɽ͔͠͠ɼ‫ࢹ؂‬தʹγεςϜͷଞͷ෦෼Λఀࢭͤ͞ͳ͚ Ε͹ͳΒͳ͔ͬͨΓɼҰൠతͰͳ͍ϋʔυ΢ΣΞ͕ඞཁͱ ͳͬͨΓ͢Δɽ. [6]. ηΩϡΞͳ࣮ߦ‫[ ڥ؀‬7] ΍ VMCrypt [6] ͸ VM ͷϝϞ Ϧ΍Ϩδελ͔Β؅ཧ VM ΁৘ใ͕࿙Ӯ͢Δ͜ͱΛ๷͙ γεςϜͰ͋Δɽ؅ཧ VM ͕Ϣʔβ VM ͷϝϞϦΛϚο. [7]. ϓ͠Α͏ͱ͢ΔͱɼVMM ͕ͦͷϝϞϦ಺༰Λ҉߸Խ͢ Δɽ·ͨɼVM ͷϝϞϦͷվ͟Μ΋‫ݕ‬ग़͢Δ͜ͱ͕Ͱ͖Δɽ ͜ΕΒͷ‫ߏػ‬Λ༻͍ΔͱϝϞϦ͕҉߸Խ͞ΕΔͨΊɼै དྷͷ IDS ΦϑϩʔυͰ͸‫ࢹ؂‬Λߦ͏͜ͱ͕Ͱ͖ͳ͘ͳΔɽ. RemoteTrans Λ༻͍Ε͹ϦϞʔτͷ‫ࢹ؂‬ϗετͰϝϞϦ ⓒ 2013 Information Processing Society of Japan. [8]. Garfinkel, T. and Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection, Proceedings of Network and Distributed Systems Security Symposium, pp. 191–206 (2003). Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I. and Warfield, A.: Xen and the art of virtualization, Proceedings of the nineteenth ACM symposium on Operating systems principles, pp. 164–177 (2003). ൧ా‫و‬େɼޫདྷ݈ҰɿVM Shadowɿ‫ط‬ଘ IDS ΛΦϑϩʔ υ͢ΔͨΊͷ࣮ߦ‫ڥ؀‬ɼୈ 119 ճ OS ‫ڀݚ‬ձ (2011). Ӊ౎‫ٶ‬णਔɼޫདྷ݈ҰɿVM ϚΠάϨʔγϣϯΛՄೳʹ ͢Δ IDS Φϑϩʔυ‫ߏػ‬ɼୈ 28 ճ೔ຊιϑτ΢ΣΞՊ ֶձେձ (2011). Butt, S., Lagar-Cavilla, H. A., Srivastava, A. and Ganapathy, V.: Self-service cloud computing, Proceedings of the 2012 ACM conference on Computer and communications security, pp. 253–264 (2012). Tadokoro, H., Kourai, K. and Chiba, S.: Preventing Information Leakage from Virtual Machines’ Memory in IaaS Clouds, IPSJ Transactions on Advanced Computing Systems, Vol. 5, No. 4, pp. 101–111 (2012). Li, C., Raghunathan, A. and Jha, N. K.: Secure Virtual Machine Execution under an Untrusted Management OS, Proceedings of IEEE CLOUD’10, pp. 172–179 (2010). Zhang, F., Chen, J., Chen, H. and Zang, B.: CloudVisor: retrofitting protection of virtual machines in multitenant cloud with nested virtualization, Proceedings of. 7.

(8) 情報処理学会研究報告 IPSJ SIG Technical Report. [9]. [10]. [11] [12]. [13]. [14]. Vol.2013-OS-126 No.20 2013/8/1. the Twenty-Third ACM Symposium on Operating Systems Principles, pp. 203–216 (2011). Petroni, Jr., N. L., Fraser, T., Molina, J. and Arbaugh, W. A.: Copilot - a coprocessor-based kernel runtime integrity monitor, Proceedings of the 13th conference on USENIX Security Symposium, pp. 13–13 (2004). Wang, J., Stavrou, A. and Ghosh, A.: HyperCheck: A Hardware-Assisted Integrity Monitor, Proceedings of International Symposium of Recent Advances in Intrusion Detection, pp. 158–177 (2010). Rutkowska, J., Wojtczuk, R. and Tereshkin, A.: Xen 0wning Trilogy, Black Hat USA (2008). Azab, A. M., Ning, P., Wang, Z., Jiang, X., Zhang, X. and Skalsky, N. C.: HyperSentry: enabling stealthy incontext measurement of hypervisor integrity, Proceedings of the 17th ACM conference on Computer and communications security, pp. 38–49 (2010). McCune, J. M., Parno, B., Perrig, A., Reiter, M. K. and Isozaki, H.: Flicker: An Execution Infrastructure for TCB Minimization, Proceedings of European Conference of Computer Systems, pp. 315–328 (2008). Kourai, K. and Nagata, T.: A Secure Framework for Monitoring Operating Systems Using SPEs in Cell/B.E., Proceedings of Pacific Rim International Symposium on Dependable Computing, pp. 41–50 (2012).. ⓒ 2013 Information Processing Society of Japan. 8.

(9)