基于可信平台控制模块的可信虚拟执行环境构建方法
|
摘要
针对云计算环境中单个计算节点可信性问题以及虚拟机迁移过程中多个节点间信任关系保持问题,基于我国可信计算技术的可信平台控制模块(trusted platform control module,TPCM)提出了一种可信虚拟执行环境构建方法.该方法通过将国产可信根TPCM虚拟化为云中的每个虚拟机生成了虚拟可信根,并将云信任链从物理层传递到虚拟层,实现了单个计算节点可信执行环境的构造;针对云虚拟机的动态迁移特性,基于多级认证中心设计了适合虚拟可信根迁移的证书生成及管理机制,并提出了一种虚拟可信根动态可信迁移方案,保障了迁移过程中信任关系在多个节点间的保持.实验结果表明:该方案能构造虚拟可信执行环境,实现虚拟可信根的动态可信迁移.
To solve problems of trustworthiness of a single virtual computing node in cloud computing environment and the maintenance of trust relationship among multiple nodes during the migration process,based on trusted platform control module( TPCM),the trusted root of trusted computing technology in China,a method was proposed to construct a trusted virtual execution environment. By virtualizing the TPCM,the virtual trusted root was generated for each virtual computing node in the cloud,and the cloud trusted chain was transferred from the physical node to the virtual node. For the dynamic migration characteristics of cloud virtual computing nodes,based on multi-level certificate authority( CA),a mechanism for certificate generation and management suitable for virtual root migration was designed,and a virtual root dynamic trusted migration scheme was proposed,which guaranteed the maintenance of trust relationship among multiple nodes in the migration process. Experimental results show that the scheme proposed can construct a virtual trusted execution environment and realize the dynamic trusted migration of virtual trusted roots.
To solve problems of trustworthiness of a single virtual computing node in cloud computing environment and the maintenance of trust relationship among multiple nodes during the migration process,based on trusted platform control module( TPCM),the trusted root of trusted computing technology in China,a method was proposed to construct a trusted virtual execution environment. By virtualizing the TPCM,the virtual trusted root was generated for each virtual computing node in the cloud,and the cloud trusted chain was transferred from the physical node to the virtual node. For the dynamic migration characteristics of cloud virtual computing nodes,based on multi-level certificate authority( CA),a mechanism for certificate generation and management suitable for virtual root migration was designed,and a virtual root dynamic trusted migration scheme was proposed,which guaranteed the maintenance of trust relationship among multiple nodes in the migration process. Experimental results show that the scheme proposed can construct a virtual trusted execution environment and realize the dynamic trusted migration of virtual trusted roots.
引文
[1]丁滟,王怀民,史佩昌,等.可信云服务[J].计算机学报,2015,38(1):133-149.DING Y,WANG H M,SHI P C,et al.Trusted cloud service[J].Chinese Journal of Computers,2015,38(1):133-149.(in Chinese)
[2]冯登国,张敏,张妍,等.云计算安全研究[J].软件学报,2011,22(1):71-83.FENG D G,ZHANG M,ZHANG Y,et al.Study on cloud computing security[J].Journal of Software,2011,22(1):71-83.(in Chinese)
[3]KANAAN K Q,ROBIAH Y,SADEQ M H,et al.Areview study on cloud computing issues[J].Journal of Physics:Conference Series,2018(1018):012006.
[4]ALI M,KHAN S U,VASILAKOS A V.Security in cloud computing:opportunities and challenges[J].Information Sciences,2015,305:357-383.
[5]张玉清,王晓菲,刘雪峰,等.云计算环境安全综[J].软件学报,2016,27(6):1328-1348.ZHANG Y Q,WANG X F,LIU X F,et al.Survey on cloud computing security[J].Journal of Software,2016,27(6):1328-1348.(in Chinese)
[6]TOMLINSON A.Introduction to the TPM[M]∥Smart Cards,Tokens,Security and Applications.Cham:Springer,2017:173-191.
[7]祝璐.可信计算体系结构中的若干关键技术研究[D].武汉:武汉大学,2010.ZHU L.Some key technologies in the trusted computing architecture[D].Wuhan:Wuhan University,2010.(in Chinese)
[8]田健生.动态度量体系结构、模型与关键技术研究[D].北京:北京工业大学,2016.TIAN J S.Dynamic measurement architecture,models and key technologies[D].Beijing:Beijing University of Technology,2016.(in Chinese)
[9]OLIVER I,HOLTMANNS S,MICHE Y,et al.Experiences in trusted cloud computing[C]∥International Conference on Network and System Security.Cham:Springer,2017:19-30.
[10]DU R,PAN W,TIAN J.Dynamic integrity measurement model based on v TPM[J].China Communications,2018,15(2):88-99.
[11]Trusted Computing Group.TCG protection profile for PCclient specific TPM 2.0[EB/OL].[2018-06-10].https:∥trustedcomputinggroup.org/resource/pc-clientprotection-profile-for-tpm-2-0/.
[12]Trusted Computing Group.TCG software stack(TSS)specification,Version.2.[EB/OL].[2018-06-10].http:∥www.trustedcomputinggroup.org/resources/tcg_software_stack_tss_specification.
[13]Trusted Computing Group.PC client work group PCspecific implementation specificationversion1.1.[EB/OL].[2018-06-10].http:∥www.trustedcomputinggroup.org/resources/pc_client_work_group_pc_specific_implementation_specification_version_11.
[14]Trusted Computing Group.Federated TNC version 1.0,revision 26.[EB/OL].[2018-06-10].http:∥www.trustedcomputinggroup.org/resources/federated_tnc_version_10_revision_26.
[15]Trusted Computing Group.Server work group generic server specification,version 1.0_10.[EB/OL].[2018-06-10].http:∥www.trustedcomputinggroup.org/resources/server_work_group_generic_server_specification_version_10.
[16]宁振虎.物联网感知层可信关键技术研究[D].北京:北京工业大学,2016.NING Z H.Research on trusted key technology of Internet of things perception layer[D].Beijing:Beijing University of Technology,2016.(in Chinese)
[17]诚凌.可信计算为安全打桩[J].中国信息安全,2015(2):54-56.CHENG L.Trusted computing for security piling[J].China Information Security,2015(2):54-56.(in Chinese)
[18]沈昌祥,陈兴蜀.基于可信计算构建纵深防御的信息安全保障体系[J].四川大学学报(工程科学版),2014,46(1):1-7.SHEN C X,CHEN X S.Construction of the information security infrastructure based on trusted computing[J].Journal of Sichuan University(Engineering Science Edition),2014,46(1):1-7.(in Chinese)
[19]辛思远.操作系统可信证明体系结构与模型研究[D].郑州:解放军信息工程大学,2012.XIN S Y.Research on the architecture and model of trusted proof for operating system[D].Zhengzhou:The PLA Information Engineering University,2012.(in Chinese)
[20]WANG J,SHI Y,PENG G,et al.Survey on key technology development and application in trusted computing[J].China Communications,2016,13(11):70-90.
[21]BERGER S,CACERES R,GOLDMAN K A,et al.VTPM:virtualizing the trusted platform module[C]∥USENIX-SS'06:Proceedings of the 15th Conference on USENIX Security Symposium.Berkeley:USENIXAssociation,2006:305-320.
[22]ANDERSON M J,MOFFIE M,DALTON C I.Towards trustworthy virtualisation environments:Xen library OSsecurity service infrastructure[R/OL].[2018-06-10].HP Tech Reort,2007:88-111.https:∥www.hpl.hp.com/techreports/2007/HPL-2007-69.pdf?jumpid=reg_R1002_USEN.
[23]MURRAY D G,MILOS G,HAND S.Improving Xen security through disaggregation[C]∥Proceedings of the Fourth ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments.New York:ACM,2008:151-160.
[24]JIN X,WANG L,YU R,et al.Administrative domain:security enhancement for virtual TPM[C]∥2010International Conference on Multimedia Information Networking and Security.New York:IEEE,2010:767-771.
[25]Xen Open Source Community.Xen Stub Dom[EB/OL].[2018-06-10].http:∥wiki.xensource.com/wiki/Stub Dom.
[26]Xen Open Source Community.Mini-OS[EB/OL].[2018-06-10].https:∥wiki.xen.org/wiki/Mini-OS.
[27]GOYETTE R.A review of v TPM:virtualizing the trusted platform module[R/OL].[2018-06-06].Proceedings of Network Security and Cryptography,2007:1-17.http:∥richardgoyette.com/Research/Papers/Virtual%20TPM%20Critique%20intro.pdf.
[28]王丽娜,高汉军,余荣威,等.基于信任扩展的可信虚拟执行环境构建方法研究[J].通信学报,2011,32(9):1-8.WANG L N,GAO H J,YU R W,et al.Research of constructing trusted virtual execution environment based on trust extension[J].Journal of Communications,2011,32(9):1-8.(in Chinese)
[29]杨永娇,严飞,毛军鹏,等.Ng-vTPM:新一代TPM虚拟化框架设计[J].武汉大学学报(理学版),2015,61(2):103-111.YANG Y J,YAN F,MAO J P,et al.Ng-vTPM:a next generation virtualized TPM architecture[J].Journal of Wuhan University(Natural Science Edition),2015,61(2):103-111.(in Chinese)
[30]余发江,陈列,张焕国.虚拟可信平台模块动态信任扩展方法[J].软件学报,2017,28(10):2782-2796.YU F J,CHEN L,ZHANG H G.Virtual trusted platform module dynamic trust extension[J].Journal of Software,2017,28(10):2782-2796.(in Chinese)
[31]黄坚会,沈昌祥,谢文录.TPCM三阶三路安全可信平台防护架构[J].武汉大学学报(理学版),2018,64(2):109-114.HUANG J H,SHEN C X,XIE W L.The TPCM 3P3Cdefense architecture of safety and trusted platform[J].Journal of Wuhan University(Natural Science Edition),2018,64(2):109-114.(in Chinese)
[32]张兴.无干扰可信模型及可信平台体系结构实现研究[D].郑州:解放军信息工程大学,2009.ZHANG X.Non interference trusted model and implementation of trusted platform architecture[D].Zhengzhou:The PLA Information Engineering University,2009.(in Chinese)
[33]欧阳建权,王怀民,史殿习.普适计算的可信研究[J].计算机应用研究,2008,25(12):3521-3524.OUYANG J Q,WANG H M,SHI D X.Trust in pervasive computing[J].Application Research of Computers,2008,25(12):3521-3524.(in Chinese)
[2]冯登国,张敏,张妍,等.云计算安全研究[J].软件学报,2011,22(1):71-83.FENG D G,ZHANG M,ZHANG Y,et al.Study on cloud computing security[J].Journal of Software,2011,22(1):71-83.(in Chinese)
[3]KANAAN K Q,ROBIAH Y,SADEQ M H,et al.Areview study on cloud computing issues[J].Journal of Physics:Conference Series,2018(1018):012006.
[4]ALI M,KHAN S U,VASILAKOS A V.Security in cloud computing:opportunities and challenges[J].Information Sciences,2015,305:357-383.
[5]张玉清,王晓菲,刘雪峰,等.云计算环境安全综[J].软件学报,2016,27(6):1328-1348.ZHANG Y Q,WANG X F,LIU X F,et al.Survey on cloud computing security[J].Journal of Software,2016,27(6):1328-1348.(in Chinese)
[6]TOMLINSON A.Introduction to the TPM[M]∥Smart Cards,Tokens,Security and Applications.Cham:Springer,2017:173-191.
[7]祝璐.可信计算体系结构中的若干关键技术研究[D].武汉:武汉大学,2010.ZHU L.Some key technologies in the trusted computing architecture[D].Wuhan:Wuhan University,2010.(in Chinese)
[8]田健生.动态度量体系结构、模型与关键技术研究[D].北京:北京工业大学,2016.TIAN J S.Dynamic measurement architecture,models and key technologies[D].Beijing:Beijing University of Technology,2016.(in Chinese)
[9]OLIVER I,HOLTMANNS S,MICHE Y,et al.Experiences in trusted cloud computing[C]∥International Conference on Network and System Security.Cham:Springer,2017:19-30.
[10]DU R,PAN W,TIAN J.Dynamic integrity measurement model based on v TPM[J].China Communications,2018,15(2):88-99.
[11]Trusted Computing Group.TCG protection profile for PCclient specific TPM 2.0[EB/OL].[2018-06-10].https:∥trustedcomputinggroup.org/resource/pc-clientprotection-profile-for-tpm-2-0/.
[12]Trusted Computing Group.TCG software stack(TSS)specification,Version.2.[EB/OL].[2018-06-10].http:∥www.trustedcomputinggroup.org/resources/tcg_software_stack_tss_specification.
[13]Trusted Computing Group.PC client work group PCspecific implementation specificationversion1.1.[EB/OL].[2018-06-10].http:∥www.trustedcomputinggroup.org/resources/pc_client_work_group_pc_specific_implementation_specification_version_11.
[14]Trusted Computing Group.Federated TNC version 1.0,revision 26.[EB/OL].[2018-06-10].http:∥www.trustedcomputinggroup.org/resources/federated_tnc_version_10_revision_26.
[15]Trusted Computing Group.Server work group generic server specification,version 1.0_10.[EB/OL].[2018-06-10].http:∥www.trustedcomputinggroup.org/resources/server_work_group_generic_server_specification_version_10.
[16]宁振虎.物联网感知层可信关键技术研究[D].北京:北京工业大学,2016.NING Z H.Research on trusted key technology of Internet of things perception layer[D].Beijing:Beijing University of Technology,2016.(in Chinese)
[17]诚凌.可信计算为安全打桩[J].中国信息安全,2015(2):54-56.CHENG L.Trusted computing for security piling[J].China Information Security,2015(2):54-56.(in Chinese)
[18]沈昌祥,陈兴蜀.基于可信计算构建纵深防御的信息安全保障体系[J].四川大学学报(工程科学版),2014,46(1):1-7.SHEN C X,CHEN X S.Construction of the information security infrastructure based on trusted computing[J].Journal of Sichuan University(Engineering Science Edition),2014,46(1):1-7.(in Chinese)
[19]辛思远.操作系统可信证明体系结构与模型研究[D].郑州:解放军信息工程大学,2012.XIN S Y.Research on the architecture and model of trusted proof for operating system[D].Zhengzhou:The PLA Information Engineering University,2012.(in Chinese)
[20]WANG J,SHI Y,PENG G,et al.Survey on key technology development and application in trusted computing[J].China Communications,2016,13(11):70-90.
[21]BERGER S,CACERES R,GOLDMAN K A,et al.VTPM:virtualizing the trusted platform module[C]∥USENIX-SS'06:Proceedings of the 15th Conference on USENIX Security Symposium.Berkeley:USENIXAssociation,2006:305-320.
[22]ANDERSON M J,MOFFIE M,DALTON C I.Towards trustworthy virtualisation environments:Xen library OSsecurity service infrastructure[R/OL].[2018-06-10].HP Tech Reort,2007:88-111.https:∥www.hpl.hp.com/techreports/2007/HPL-2007-69.pdf?jumpid=reg_R1002_USEN.
[23]MURRAY D G,MILOS G,HAND S.Improving Xen security through disaggregation[C]∥Proceedings of the Fourth ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments.New York:ACM,2008:151-160.
[24]JIN X,WANG L,YU R,et al.Administrative domain:security enhancement for virtual TPM[C]∥2010International Conference on Multimedia Information Networking and Security.New York:IEEE,2010:767-771.
[25]Xen Open Source Community.Xen Stub Dom[EB/OL].[2018-06-10].http:∥wiki.xensource.com/wiki/Stub Dom.
[26]Xen Open Source Community.Mini-OS[EB/OL].[2018-06-10].https:∥wiki.xen.org/wiki/Mini-OS.
[27]GOYETTE R.A review of v TPM:virtualizing the trusted platform module[R/OL].[2018-06-06].Proceedings of Network Security and Cryptography,2007:1-17.http:∥richardgoyette.com/Research/Papers/Virtual%20TPM%20Critique%20intro.pdf.
[28]王丽娜,高汉军,余荣威,等.基于信任扩展的可信虚拟执行环境构建方法研究[J].通信学报,2011,32(9):1-8.WANG L N,GAO H J,YU R W,et al.Research of constructing trusted virtual execution environment based on trust extension[J].Journal of Communications,2011,32(9):1-8.(in Chinese)
[29]杨永娇,严飞,毛军鹏,等.Ng-vTPM:新一代TPM虚拟化框架设计[J].武汉大学学报(理学版),2015,61(2):103-111.YANG Y J,YAN F,MAO J P,et al.Ng-vTPM:a next generation virtualized TPM architecture[J].Journal of Wuhan University(Natural Science Edition),2015,61(2):103-111.(in Chinese)
[30]余发江,陈列,张焕国.虚拟可信平台模块动态信任扩展方法[J].软件学报,2017,28(10):2782-2796.YU F J,CHEN L,ZHANG H G.Virtual trusted platform module dynamic trust extension[J].Journal of Software,2017,28(10):2782-2796.(in Chinese)
[31]黄坚会,沈昌祥,谢文录.TPCM三阶三路安全可信平台防护架构[J].武汉大学学报(理学版),2018,64(2):109-114.HUANG J H,SHEN C X,XIE W L.The TPCM 3P3Cdefense architecture of safety and trusted platform[J].Journal of Wuhan University(Natural Science Edition),2018,64(2):109-114.(in Chinese)
[32]张兴.无干扰可信模型及可信平台体系结构实现研究[D].郑州:解放军信息工程大学,2009.ZHANG X.Non interference trusted model and implementation of trusted platform architecture[D].Zhengzhou:The PLA Information Engineering University,2009.(in Chinese)
[33]欧阳建权,王怀民,史殿习.普适计算的可信研究[J].计算机应用研究,2008,25(12):3521-3524.OUYANG J Q,WANG H M,SHI D X.Trust in pervasive computing[J].Application Research of Computers,2008,25(12):3521-3524.(in Chinese)
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |