摘要: |
针对云计算中带内完整性度量方案存在的依赖操作系统安全机制、部署复杂和资源浪费等问题,提出了基于虚拟机监控技术的带外完整性度量方案,可用于为云计算基础设施即服务(IaaS)的租户提供可信的虚拟域。该方案包括域外监控方案和域内外协同监控方案两部分。前者可对开源Linux虚拟域实现完全透明的完整性度量,同时弥补了其他基于系统调用捕获的域外方案所存在的不足。后者将实时度量与预先度量方法、域内度量与域外度量方法、细粒度的注册表度量方法和基于系统调用的域间信息传输方法相结合,可对不完全开源的Windows虚拟域实现完整性度量。实验证明了方案的度量能力是完备的、性能影响是可接受的。 |
关键词: 云计算 虚拟化 虚拟机监控 可信计算 完整性度量 |
DOI: |
Received:November 23, 2015Revised:December 16, 2015 |
基金项目:本课题得到国家自然科学基金项目(No.61572066);高等学校博士学科点专项科研基金(No.20120009110007);发改委信息安全专项(No.[2013]1309)资助。 |
|
Trusted Virtual Domain based on Virtual Machine Introspection Technology |
XING Bin,HAN Zhen,CHANG Xiaolin,LIU Jiqiang |
School of Computer and Information Technology, Beijing Jiaotong University, Beijing 100044, China |
Abstract: |
In-band integrity measurement schemes in cloud computing have some weak points, such as OS security mechanism dependency, deployment complicacy, and computing resource waste. In this paper, an out-of-band integrity measurement scheme based on virtual machine introspection technology is proposed, which can be used for providing trusted virtual domains for the tenants of Infrastructure as a Service (IaaS). This scheme consists of two parts. One is Out-of-the-Box Monitoring sub-scheme, which can not only achieve fully transparent integrity measurement for Linux virtual domains, but also make up the shortcomings of the hypervisor-based schemes which use system call interception method. The other is In-and-Out-of-the-Box Monitoring sub-scheme, which is composed of real-time and beforehand measure methods, in-the-box and out-of-the-box measure methods, fine-grained registry measure method and sys-tem-call-based inter-domain information transmission, and has the ability to measure the integrity of Windows virtual domains. Evaluation experiments show that the proposed scheme has complete measurement ability as well as acceptable performance impact. |
Key words: cloud computing virtualization virtual machine introspection trusted computing integrity measurement |