Security Technology Based on ARM Virtualization Extension

doi:10.13328/j.cnki.jos.005185

微信服务号

微信订阅号

2025-4-21- 14

Home > Archive>Volume 28, Issue 9, 2017 >2229-2247. DOI:10.13328/j.cnki.jos.005185

PDF HTML XML Export Cite reminder

Security Technology Based on ARM Virtualization Extension
DOI:
                        10.13328/j.cnki.jos.005185
                    
Author:
                        LI Zhou-JunLI Zhou-Jun
School of Computer Science and Engineering, BeiHang University, Beijing 100191, China
Find this author on CNKI
Find this author on BaiDu
Search for this author on this site
SHEN DongSHEN Dong
School of Computer Science and Engineering, BeiHang University, Beijing 100191, China
Find this author on CNKI
Find this author on BaiDu
Search for this author on this site
SU Xiao-JingSU Xiao-Jing
Key Laboratory of Microelectronics Devices & Integrated Technology, Institute of Microelectronics, The Chinese Academy of Sciences, Beijing 100029, China
Find this author on CNKI
Find this author on BaiDu
Search for this author on this site
MA Jin-XinMA Jin-Xin
China Information Technology Security Evaluation Center, Beijing 100085, China
Find this author on CNKI
Find this author on BaiDu
Search for this author on this site

                    
Affiliation:
Clc Number:
Fund Project:National High Technology Research and Development Program of China (863) (2015AA016004); National Natural Science Foundation of China (61370126, 61672081, 61502536); Beijing Advanced Innovation Center for Imaging Technology (BAICIT-2016001)

Article

Figures

Metrics

Reference [80]

Related [20]

Cited by

Materials

Comments

Abstract:

In recent years, with the growth in the number of mobile platform users, mobile platform security has become the focal point in the field of information security. The virtualization extension of ARM, which facilitates the security of mobile platform based on virtualization technology, is a hot research topic. This paper first introduces the types of virtualization technology and previous related studies. Then the concepts of ARM virtualization extension are presented, and the comparison with the x86 virtualization extension is given as well. Subsequently, the paper focuses on the current situation of security research based on hardware virtualization extension, including the general system frameworks and security tools for specific attacks. Analysis of future's research trend of ARM virtualization-based security technology is put forward at the end.

Key words:ARM;virtualization;system security;mobile security;virtual machine monitor

Reference

[1] Smith B. ARM and Intel battle over the mobile chip's future. Computer, 2008,41(5):15-18.[doi:10.1109/MC.2008.142]

[2] Aroca RV, Goncalev LMG. Towards green data centers:A comparison of x86 and ARM architectures power efficiency. Journal of Parallel & Distributed Computing, 2012,72(12):1770-1780.[doi:10.1016/j.jpdc.2012.08.005]

[3] Ou Z, Pang B, Deng Y, Nurminen JK. Energy-and cost-efficiency analysis of ARM-based clusters. In:Proc. of the IEEE/ACM Int'l Symp. on Cluster, Cloud and Grid Computing. 2012. 115-123.[doi:10.1109/CCGrid.2012.84]

[4] You DH, Noh BN. Android platform based Linux kernel rootkit. In:Proc. of the Int'l Conf. on Malicious & Unwanted Software. 2011. 79-87.[doi:10.1109/MALWARE.2011.6112330]

[5] Li WX, Wang JB, Mu DJ, Yuan Y. Survey on android rootkit. Microprocessors, 2011,32(2):68-72(in Chinese with English abstract).[doi:10.3969/j.issn.1002-2279.2011.02.020]

[6] Mulliner C, Robertson W, Kirda E. VirtualSwndle:An automated attack against in-app billing on Android. In:Proc. of the ACM Asia Conf. on Computer and Communications Security. 2014. 459-470.[doi:10.1145/2590296.2590335]

[7] Arzt S, Huber S, Rasthofer S, Bodden E. Denial-of-App attack:Inhibiting the installation of Android apps on stock phones. In:Proc. of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices. 2014. 21-26.[doi:10.1145/2666620. 2666621]

[8] Spaulding J, Krauss A, Srinivasan A. Expoloring an open wifi detection vulnerability as a malware attack vector on iOS devices. In:Proc. of the Int'l Conf. on Malicious and Unwanted Software. 2012. 87-93.[doi:10.1109/MALWARE.2012.6461013]

[9] Uhlig R, Neiger G, Rodgers D, Santoni AL, Martins FCM, Anderson AV, Bennett SM, Kägi A, Leung FH, Smith L. Intel virtualization technology. Computer, 2005,38(5):48-56.[doi:10.1109/MC.2005.163]

[10] Chen X, Garfinkel T, Lewis EC, Subrahmanyam P, Waldspurger CA, Boneh D, Dwoskin J, Ports DRK. Overshadow:A virtualization-based approach to retrofitting protection in commodity operating systems. In:Proc. of the Int'l Conf. on Architectural Support for Programming Languages & Operating Systems. 2008. 2-13.[doi:10.1145/1346281.1346284]

[11] Hofmann OS, Kim S, Dunn AM, Lee MZ, Witchel E. InkTag:Secure applications on an untrusted operating system. In:Proc. of the Int'l Conf. on Architectural Support for Programming Languages & Operating Systems. 2013. 253-264.[doi:10.1145/2451116. 2451146]

[12] Zhou ZW, Gligor VD, Newsome J, McCune JM. Building verifiable trusted path on commodity x86 computers. In:Proc. of the IEEE Symp. on Security and Privacy. 2012. 616-630.[doi:10.1109/SP.2012.42]

[13] Cheng YQ, Ding XH, Deng RH. Efficient virtualization-based application protection against untrusted operating system. In:Proc. of the 10th ACM Symp. on Information, Computer and Communications Security. 2015. 345-356.[doi:10.1145/2714576. 2714618]

[14] ARM. Architecture Reference Manual (ARMv7-A and ARMv7-R edition). USA:ARM, 2012.

[15] Belady L. A study of replacement algorithms for virtual storage computers. IBM Systems Journal, 1966,5(2):78-101.[doi:10. 1147/sj.52.0078]

[16] Seawright LH, Mackinnon RA. VM/370-A study of multiplicity and usefulness. IBM Systems Journal, 1979,18(1):4-17.[doi:10.1147/sj.181.0004]

[17] Creasy RJ. The origin of the VM/370 time-sharing system. IBM Journal of Research & Development, 1981,25(5):483-490.[doi:10.1147/rd.255.0483]

[18] Gum PH. System/370 extended architecture:Facilities for virtual machines. IBM Journal of Research & Development, 1983,27(6):530-544.[doi:10.1147/rd.276.0530]

[19] Garfinkel T, Ptaff B, Chow J, Rosenblum M, Boneh D. Terra:A virtual machine-based platform for trusted computing. ACM Sigops Operating Systems Review, 2003,37(5):193-206.[doi:10.1145/1165389.945464]

[20] Huang JB, Ding Y, Fang F. Virtualization and cloud computing. In:Proc. of the Asia-Pacific Conf. on Information Network and Digital Content Security. 2011. 83-86(in Chinese with English abstract).

[21] Zeng S, Hao Q. Network I/O path analysis in the kernel-based virtual machine environment through tracing. In:Proc. of the Int'l Conf. on Information Science and Engineering. 2009. 2658-2661.[doi:10.1109/ICISE.2009.776]

[22] Wang J, Niphadkar S, Stavrou A, Ghosh AK. A virtualization architecture for in-depth kernel isolation. In:Proc. of the 43th Hawaii Int'l Conf. on System Sciences. 2010. 1-10.[doi:10.1109/HICSS.2010.41]

[23] Whitaker A, Shaw M, Gribble SD. Scale and performance in the Denali isolation kernel. ACM SIGOPS Operating Systems Review, 2002,36(SI):195-209.[doi:10.1145/844128.844147]

[24] Perez R, Doom LV, Sailer R. Virtualization and hardware-based security. IEEE Security & Privacy, 2008,6(5):24-31.[doi:10. 1109/MSP.2008.135]

[25] Wisniewski RW, Inglett T, Keppel P, Murty R, Riesen R. mOS:An architecture for extreme-scale operating systems. In:Proc. of the 4th Int'l Workshop on Runtime and Operating Systems for Supercomputers. 2014. 1-8.[doi:10.1145/2612262.2612263]

[26] Yu KL, Chen Y, Mao JJ, Zhang L. ARM-MuxOS:A system architecure to support multiple operating systems on single mobile device. Computer Science, 2014,41(10):7-11(in Chinese with English abstract).[doi:10.11896/j.issn.1002-137X.2014.10.002]

[27] Nanda S, Chiueh TC. A survey on virtualization technologies. RPE Report, 2005. 1-42.

[28] Smith JE, Nair R. The architecture of virtual machines. Computer, 2005,38(5):32-38.[doi:10.1109/MC.2005.173]

[29] Rosenblum M, Garfinkel T. Virtual machine monitors:Current technology and future trends. Computer, 2005,38(5):39-47.[doi:10.1109/MC.2005.176]

[30] Popek GJ, Goldberg RP. Formal requirements for virtualizable third generation architectures. Communications of the ACM, 1974, 17(7):412-421.[doi:10.1145/361011.361073]

[31] Sites RL, Chernoff A, Kirk MB, Marks MP, Robinson SG. Binary translation. Communications of the ACM, 1993,36(2):69-81.[doi:10.1145/151220.151227]

[32] Suzuki A, Oikawa S. Implementing a simple trap and emulate VMM for the ARM architecture. In:Proc. of the IEEE Int'l Conf. on Embedded and Real-Time Computing Systems and Applications. 2011. 371-379.[doi:10.1109/RTCSA.2011.26]

[33] Bellard F. QEMU, a fast and portable dynamic translator. In:Proc. of the Freenix Track:2005 Usenix Technical Conf. 2005. 41-46.

[34] Bartholomew D. QEMU:A multihost multitarget emulator. Linux Journal, 2006,2006(145):68-71.

[35] Oh SC, Kim KH, Koh KW, Ahn CW. ViMo (virtualization for mobile):A virtual machine monitor supporting full virtualization for ARM mobile systems. In:Proc. of the 1st Int'l Conf. on Cloud Computing, GRIDs, and Virtualization. 2010. 48-53.

[36] Hwang JY, Suh SB, Heo SK, Park CJ, Ryu JM, Park SY, Kim CR. Xen on ARM:System virtualization using Xen hypervisor for ARM-based secure mobile phones. In:Proc. of the 5th IEEE Conf. on Consumer Communications and Networking Conf. 2008. 257-261.[doi:10.1109/ccnc08.2007.64]

[37] Dall C, Nieh J. KVM for ARM. In:Proc. of the Ottawa Linux Symp. 2010. 45-56.

[38] Heiser G, Leslie B. The OKL4 microvisor:Convergence point of microkernels and hypervisors. In:Proc. of the ACM SIGCOMM Asia-Pacific Workshop on Systems (APSYS 2010). 2010. 19-24.[doi:10.1145/1851276.1851282]

[39] Lee SM, Suh SB, Jeong B, Mo S. A multi-layer mandatory access control mechanism for mobile devices based on virtualization. In:Proc. of the Consumer Communications and Networking Conf. 2008. 251-256.[doi:10.1109/ccnc08.2007.63]

[40] Park M, Yoo SH, Yoo C. Real-Time operating system virtualization for xen-arm. In:Proc. of the 4th Int'l Symp. on Embedded Technology. 2009. 1-2.

[41] Liu CL, Layland JW. Scheduling algorithms for muliprogramming in a hard-real-time environment. Journal of the ACM, 2002, 20(1):46-61.[doi:10.1145/321738.321743]

[42] Li DJ. Multi-Platform extension of lightweight virtual machines[MS. Thesis]. Wuhan:Huazhong University of Science and Technology, 2011(in Chinese with English abstract).[doi:10.7666/d.d188307]

[43] Rossier D. EmbeddedXEN:A revisited architecture of the Xen hypervisor to support ARM-based embedded virtualization. White Paper, 2012.

[44] Zhong MZ. Study of embedded system security assurance based on virtualization technology[MS. Thesis]. Tianjin:Nankai University, 2013(in Chinese with English abstract).

[45] Yang YJ, Gao YW. Study of direct access mapping of image files in Xen virtualized environment. Chines High Technology Letters, 2012,22(5):483-489(in Chinese with English abstract).[doi:10.3772/j.issn.1002-0470.2012.05.006]

[46] Zhao YH. Study of Linux kernel virtual machine technology implemented on ARM platform[MS. Thesis]. Wuhan:Huazhong University of Science and Technology, 2011(in Chinese with English abstract).[doi:10.7666/d.d187115]

[47] Ding JH, Lin CJ, Chang PH, Tsang CH, Hsu WC, Chung YC. ARMvisor:System virtualization for ARM. In:Proc. of the Ottawa Linux Symp. 2012. 95-109.

[48] Dall C, Nieh J. KVM/ARM:The design and implementation of the Linux ARM hypervisor. In:Proc. of the 19th Int'l Conf. on Architectural Support for Programming Languages and Operating Systems. 2014. 333-348.[doi:10.1145/2541940.2541946]

[49] Barham P, Dragovic B, Fraser K, Hand S, Harris T, Ho A, Neugebauer R, Pratt I, Warfield A. Xen and the art of virtualization. ACM Sigops Operating System Review, 2003,37(5):164-177.[doi:10.1145/1165389.945462]

[50] Lengyel TK, Kittel T, Pfoh J, Eckert C. Multi-Tiered security architecture for ARM via the virtualization and security extensions. In:Proc. of the Security in Highly Connected IT Systems. 2014. 308-312.[doi:10.1109/DEXA.2014.68]

[51] Kivity A, Kamay Y, Laor D, Lublin U, Liguori A. KVM:The Linux virtual machine monitor. In:Proc. of the Linux Symp. 2007. 225-230.

[52] Russel R. Virtio:Towards a de-facto standard for virtual I/O devices. ACM SIGOPS Operating System Review, 2008,42(5):95-103.[doi:10.1145/1400097.1400108]

[53] Paolino M, Rigo A, Spyridakis A, Fanguède J, Lalov P, Raho D. T-KVM:A trusted architecture for KVM ARM v7 and v8 virtual machines securing virtual machines by means of KVM, TrustZone, TEE and SELinux. In:Proc. of the 6th Int'l Conf. on Cloud Computing, GRIDs, and Virtualization. 2015. 39-45.

[54] Liedtke J. On μ-kernel construction. In:Proc. of the 15th ACM Symp. on Operating System Principles. 1995. 237-250.[doi:10. 1145/224056.224075]

[55] Varanasi P. Implementing hardware-supported virtualization in OKL4 on ARM[Bachelor Thesis]. Sydney:University of New South Wales, 2010.[doi:10.1145/2103799.2103813]

[56] Yang Y, Qian ZJ, Huang H. A lightweight monitor for Android kernel protection. Computer Engineering, 2014,40(4):48-52(in Chinese with English abstract).[doi:10.3969/j.issn.1000-3428.2014.04.009]

[57] Horsch J, Wessel S. Transparent page-based kernel and user space execution tracing from a custom minimal ARM hypervisor. In:Proc. of the IEEE Int'l Conf. on Trust, Security and Privacy in Computing and Communications. 2015. 408-417.[doi:10.1109/Trustcom.2015.401]

[58] Nordholz J, Vetter J, Peter M, Junker-Petschick M, Danisevskis J. XNPro:Low-Impact hypervisor-based execution prevention on ARM. In:Proc. of the Int'l Workshop on Trustworthy Embedded Devices. 2015. 55-64.[doi:10.1145/2808414.2808415]

[59] Chen PM, Noble BD. When virtual is better than real. In:Proc. of the 8th Workshop on Hot Topics in Operating Systems. 2001. 133-138.

[60] Enck W, Gilbert P, Han S, Tendulkar V, Chun BG, Cox LP, Jung J, Mcdaniel P, Sheth AN. TaintDroid:An information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. on Computer Systems, 2014,32(2):5:1-5:29.[doi:10.1145/2619091]

[61] Lin JH, Ren W, Jia LL. The design and implementation of a system for privacy protection in Android. Netinfo Security, 2013,(7):16-19(in Chinese with English abstract).[doi:10.3969/j.issn.1671-1122.2013.07.004]

[62] Jia P, He X, Liu L, Gu B, Fang Y. A framework for privacy information protection on Android. In:Proc. of the Int'l Workshop on Sensor, Peer-to-peer and Social Networks. 2015. 1127-1131.[doi:10.1109/ICCNC.2015.7069508]

[63] Shen D, Zhang ZK, Ding XH, Li ZJ, Deng RH. H-Binder:A hardened binder framework on android systems. In:Proc. of the 12th EAI Int'l Conf. on Security and Privacy in Communication Networks. 2016. 24-43.

[64] Cheng Y, Ding X. Virtualization based password protection against malware in untrusted operating systems. In:Proc. of the Int'l Conf. on Trust and Trustworthy Computing. 2012. 201-218.[doi:10.1007/978-3-642-30921-2_12]

[65] ARM. ARM security technology-Building a secure system using trustzone technology. ARM Technical White Paper, 2009.

[66] Santos N, Raj H, Saroiu S, Wolman A. Using ARM trustzone to build a trusted language runtime for mobile applications. In:Proc. of the Int'l Conf. on Architectural Support for Programming Languages and Operating Systems. 2014. 67-80.[doi:10.1145/2541940.2541949]

[67] Azab AM, Ning P, Shah J, Chen Q, Bhutkar R, Ganesh G, Ma J, Shen W. Hypervision across worlds:real-time kernel protection from the ARM trustzone secure world. In:Proc. of the ACM Sigsac Conf. on Computer and Communications Security. 2014. 90-102.[doi:10.1145/2660267.2660350]

[68] Zhao S, Zhang Q, Hu G, Qin Y, Feng D. Providing root of trust for ARM trustzone using on-chip SRAM. In:Proc. of the 4th Int'l Workshop on Trustworthy Embedded Devices. 2014. 25-36.[doi:10.1145/2666141.2666145]

[69] Pinto S, Oliveira D, Pereira J, Cardoso N, Ekpanyapong M, Cabral J, Tavares A. Towards a lightweight embedded virtualization architecture exploiting ARM TrustZone. In:Proc. of the IEEE Int'l Conf. on Emerging Technologies and Factory Automation. 2014. 1-4.[doi:10.1109/ETFA.2014.7005255]

[70] Sun H, Sun K, Wang Y, Jing J. TrustOTP:Transforming smartphones into secure one-time password tokens. In:Proc. of the ACM Sigsac Conf. on Computer and Communications Security. 2015. 976-988.[doi:10.1145/2810103.2813692]

附中文参考文献:

[5] 李文新,王姜博,慕德俊,袁源.Android系统Rootkit技术综述.微处理机,2011,32(2):68-72.[doi:10.3969/j.issn.1002-2279.2011.02. 020]

[20] 黄建波,丁扬,方芳.虚拟化与云计算.见:亚太信息网络与数字安全会议论文集.2011.83-86.

[26] 余宽隆,陈瑜,茅俊杰,张磊.ARM-MuxOS:一台手机,多个世界.计算机科学,2014,41(10):7-11.[doi:10.11896/j.issn.1002-137X. 2014.10.002]

[42] 李大江.轻量级虚拟机的多平台扩展[硕士学位论文].武汉:华中科技大学,2011.[doi:10.7666/d.d188307]

[44] 钟木忠.基于虚拟化技术的嵌入式系统安全保证研究[硕士学位论文].天津:南开大学,2013.

[45] 杨亚军,高云伟.Xen虚拟化环境中镜像文件的访问直接映射研究.高技术通讯,2012,22(5):483-489.[doi:10.3772/j.issn.1002-0470.2012.05.006]

[46] 赵亚辉.ARM平台上实现Linux内核虚拟机技术研究[硕士学位论文].武汉:华中科技大学,2011.[doi:10.7666/d.d187115]

[56] 杨永,钱振江,黄皓.一种轻量级的Android内核保护监控器.计算机工程,2014,40(4):48-52.[doi:10.3969/j.issn.1000-3428.2014. 04.009]

[61] 林佳华,任伟,贾磊雷.Android手机隐私保护系统的设计与实现.信息网络安全,2013(7):16-19.[doi:10.3969/j.issn.1671-1122.2013.07.004]

Get Citation

李舟军,沈东,苏晓菁,马金鑫.基于ARM虚拟化扩展的安全防护技术.软件学报,2017,28(9):2229-2247

Copy

Article Metrics

Abstract:4121
PDF: 6776
HTML: 3898
Cited by: 0

History

Received:July 10,2016
Revised:November 10,2016
Adopted:
Online: September 02,2017
Published:

You are the first2036651Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address：4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code：100190
Phone：010-62562563 Fax：010-62562533 Email：jos@iscas.ac.cn
Technical Support：Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063

微信服务号

微信订阅号

Get Citation

Share

微信扫一扫：分享

Article Metrics

History