期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

一种基于VT-d技术的虚拟机安全隔离框架研究 被引量:5

Research on VT-d based Virtual Machine Isolation Framework
下载PDF
导出
摘要 虚拟化技术作为云计算Iaa S服务的支撑,能从根本上解决云计算平台上虚拟机面临的安全威胁问题。针对目前云计算虚拟机隔离执行环境在设备I/O和内存访问隔离方面的不足,文章结合基于硬件辅助虚拟化的VT-d技术以及可信计算中虚拟可信平台模块(v TPM)独立域的思想,提出了一个在Xen云平台上的安全隔离框架。该框架中由v TPM独立域对虚拟机内的数据和代码进行加密保护,并基于独立域思想对虚拟机镜像本身加密;使用VT-d技术为虚拟机直接分配网卡设备,并扩展XSM安全模块,增加了虚拟机之间授权表策略控制。实验与分析表明,该框架能够有效确保虚拟机之间的设备I/O及内存访问安全隔离,提升虚拟机隔离环境的安全性,且能较好满足系统运行性能。 As the basis of cloud computing IaaS service, virtualization technology can fundamentally solve the threats that the virtual machines face on the cloud computing platform. In view of the deficiencies of the current cloud computing virtual machine isolation implementation environment in the aspect of device I/O and memory access isolation, this paper presents security isolation framework on a Xen cloud platform, combining the ideal of virtualization technology VT-d with trusted computing independent domain. In the framework, data and code encryption is implemented by vTPM independent domain, which encrypts the VM image. The framework assigns NIC to VM through VT-d technology, and extends the authorization control of grant table mechanism in XSM module. Experiments and analysis show that the framework is able to ensure device I/O and memory access security isolation between the virtual machines effectively, enhance the security of virtual machine isolation environment, and meet the system performances.
作者 杨永娇 严飞 于钊 张焕国
机构地区 广东电网有限责任公司信息中心 武汉大学计算机学院 空天信息安全与可信计算教育部重点实验室
出处 《信息网络安全》 2015年第11期7-14,共8页 Netinfo Security
基金 国家自然科学基金[61272452 61003268 61173138 91118003 61303024] 国家重点基础研究发展计划(国家973计划)[2014CB340600]
关键词 虚拟化 可信计算 隔离 虚拟可信平台模块 VT-d virtualization trusted computing isolation VT-d vTPM
分类号 TP309 [自动化与计算机技术—计算机系统结构]
  • 相关文献

参考文献26

  • 1武越,刘向东.涉密环境桌面虚拟化多级安全系统设计与实现[J].信息网络安全,2014(9):101-104. 被引量:7
  • 2Chen X. Overshadow: a virtualization-based approach to retrofitting protection m commodity operating systems[C]//ACM SIGOPS Operating Systems Review. ACM, 2008, 42(2): 2-13.
  • 3Champagne D. Scalable architectural support for trusted software[C]// High Performance Computer Architecture (HPCA), 2010 IEEE 16th International Symposium on. IEEE, 2010: 1-12.
  • 4Chhabra S, Rogers B. SecureME: a hardware-software approach to filll system security[Cl//Proceedings of the international conference on Supercomputing. ACM, 201 I: 108-I19.
  • 5Wang Z. Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity[C]//Security and Privacy (SP), 2010 IEEE Symposium on. IEEE, 2010: 38(3-395.
  • 6Zhang F, Chen J. Cloudvisor: Retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization[C] // Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles. New York :ACM, 201 l: 203-216.
  • 7Azab A M, Ning P, Zhang X. Sice: a hardware-level strongly isolated computing environment for x86 multi-core platforms[C]//Proceedings of the 18th ACM conference on Computer and communications security. ACM, 2011: 375-388.
  • 8Hua J, Sakurai K. Barrier: a lightweight hypervisor for protecting kernel integrity via memory isolation[C]//Proceedings of the 27th Annual ACM Symposium on Applied Computing. ACM, 2012: 1470-1477.
  • 9Pan W, Zhang Y. Improving virtualization security by splitting hypervisor into smaller components[C]//Data and Applications Security and Privacy XXVI. Springer Berlin Heidelberg, 2012:298-313.
  • 10Jin S, Ahn J. Architectural support for secure virtualization under a vulnerable hypervisor[C]//Proceedings of the 44th Annual IEEE/ACM International Symposium on Microarchitecture.ACM, 2011: 272-283.

二级参考文献33

  • 1沈昌祥,张焕国,王怀民,王戟,赵波,严飞,余发江,张立强,徐明迪.可信计算的研究与发展[J].中国科学:信息科学,2010,40(2):139-166. 被引量:252
  • 2George Cokder. Xen Security Modules (XSM)[C]. the Xen Summit of2007. New York, April 17thand 18th, 2007.
  • 3Serdar Cabuk, Chris I. Dalton, HariGovind Rainasamy,et al. Towardsautomated provisioning of secure virtualised networks[C]. Proceedings ofACM CCS, 2007:12-14.
  • 4ZhengW M, Xu P Z, Huang X M, et al. Design a cloudstoragcplatform for pervasive computing environments [J]. ClusterComputing,2010, 13(2): 141 — 151.
  • 5BellD E, La Padula L J. Secure computer systems: unified expositionand multics interpretation [R]. Bedford: MITRE Corporation, 1976.
  • 6Bell DE, La Padula LJ. Secure computer systems: Mathematicalfoundations[C]. ESD-TR-73-278, I (AD) 770 768, ElectronicSystemsDivision, Air Force System Command, Hanscom AFB. Bedford,1973.
  • 7LeiYu, Chuliang Weng, Minglu Li, et al. Security challenges onthe clone, snapshot, migration and rollback of Xen based computingenvironments(C]. Guangzhou China, Proceedings of the Fifth AnnualCinaGrid Conference, 2012:223—227.
  • 8Miller,K.,M. Pegah.Virtualization: virtually at the desktop[C], inProceedings of the 35th annual ACM SIGUCCS conference on Userservices. 2007, ACM: Orlando, Florida, USA.
  • 9Michael Factor, Dalit Naor, et al. Capability based Secure AccessControl to Networked Storage Devices(C]. 24ch IEEE Conference onMass Storage Systems and Technologies, 2007:43—47.
  • 10Trusted Computing Group.TPM Main Specification versionl.2 [EB/OL]. http://www.trustedcompuup.org/resources/tprn_main_specification, 2006.

共引文献19

同被引文献27

引证文献5

二级引证文献8

信息网络安全
2015年 第11期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部