Abstract: Virtualization technology has been widely used in cloud computing environment, and its security is becoming more and more important. At present, malicious code attacks are developing in the direction of complexity, concealment, and persistence, which has become one of the important threats to cloud infrastructure in China.Especially in the context of the massive use of Linux and kernelbased virtual machine (KVM) virtualization in cloud data centers, its very important to research on detection and protection technologies of Linux kernel rootkit in KVM virtualization environment. However, the current research in this field mainly focuses on detecting, and lacks in response and protecting stage. To solve this problem, this paper proposes a security architecture that integrates kernellevel Rootkit security detection, response and active protection in KVM virtualization environment, and validates it in KVM virtualization platform. The results show that the security architecture can effectively detect and prevent attacks of kernellevel Rootkit in Guest virtual machine.

Key words: cloud computing, KVM virtualization, kernel Rootkit, virtual machine introspection, security reinforcement

摘要： 虚拟化技术在云计算环境中已得到广泛应用，其安全性也越来越重要.当前，恶意代码攻击正向复杂性、隐蔽性和持久性等方向发展，已成为我国云基础设施面临的重要威胁之一.特别是在云数据中心大量采用Linux和基于内核的虚拟机(kernelbased virtual machine, KVM)虚拟化背景下，研究KVM虚拟化环境下Linux内核级Rootkit的检测及防护技术具有十分重要的意义.而当前基于虚拟化环境实现Rootkit检测和防护技术研究偏重于检测，在响应和保护阶段还比较缺乏.针对这一问题，提出一种KVM虚拟化环境下集内核级Rootkit安全检测、响应及主动防护的安全架构，并在KVM虚拟化平台中进行了验证.实验结果表明，该安全架构可以有效检测并防止客户虚拟机中内核级Rootkit的攻击.

关键词: 云计算, KVM虚拟化, 内核级Rootkit, 虚拟机自省, 安全加固