虚拟化环境下安全多级访问控制机制研究与实现
发布时间:2018-11-28 16:35
【摘要】:在当今社会,信息已成为一种极其重要的战略资源,因而一个国家的信息安全保障能力也成为其综合国力的良好体现。一方面,由于科技水平和信息技术正处于空前繁荣的阶段,信息产业成为当今世界第一大产业;另一方面,危害信息安全的事件发生频率逐渐升高,信息安全方面所面临的问题迫在眉睫。随着互联网的不断发展,尤其是云计算、分布式系统等网络应用的逐渐兴起,人们的生活由于可以从网络中获取越来越多的数据而变得越来越便捷。随着人民对网络的依赖性逐渐增强,人们对其网络中得到数据的安全性要求也日益变高。与此同时,云计算由于虚拟化技术作为构建其基础架构的关键技术之一,而提供了一种更加开放、交互性更强的网络环境,人们逐渐倾向从云计算网络中获取各种需要的数据和信息。正是由于云计算网络区别于传统的网络系统,而传统的访问控制技术如防火墙,难以防止主动泄密及恶意木马的攻击,所以传统的访问控制技术已不能完全适用于虚拟化环境。因此,如何使得虚拟化环境中的数据在得到充分共享的同时,又能够实现严格的访问控制已是当下亟待克服的难题。一般来说,用于传统系统的安全访问控制模型主要是通过设置用户权限实现对数据访问的控制。这种访问控制机制使得数据的管理控制过分依赖用户,导致系统受到的攻击不仅来源于一些外部攻击者,有时来自一些内部用户。为了克服这种访问控制机制的弊端,多级安全模型应运而生。多级安全模型利用用户和数据分离的这种管理机制,将对数据的自主访问控制提升到强制访问控制,因而在一定程度上,实现数据的安全访问控制。迄今为止,已有很多多级安全模型用于不同的环境,例如军队、商业等,但是往往由于模型语义的不合理性以及模糊性使得其实用性支持不足,应用不广泛。本文中,在多级关系模型MLR的基础上,提出了一种通用的基于实体的多级关系模型E-MLR模型。在E-MLR模型中,我们重新定义了语义以及语句操作,以保证在传统网络中不同实体间的安全隔离以及实体内部的安全通信。然后,本文以KVM虚拟机作为研究参考环境,将E-MLR模型延伸于虚拟化环境中,针对虚拟机间的数据访问安全需求,提出了虚拟化多级分组安全模型V-MGSM。旨在将虚拟机按照其对应的实体进行分组,用于控制不同组、同组内虚拟机之间的通信过程和虚拟化环境中内存共享问题。在此基础上,本文给出了访问控制机制在虚拟化平台KVM环境下的实现过程以及测试结果。主要包括以下内容:1.针对目前普遍流行的多级安全模型所存在的弊端,克服其语义的不合理性和模糊性,在MLR模型基础上,提出通用的基于实体的多级关系模型E-MLR,重新定义数据语义并提出数据借用的思想,再此基础上定义了四条通用的数据操作指令以实现低级别用户无法修改高级别用户视图的目标,最终达到系统信息安全的目的;2.将通用的E-MLR模型延伸到虚拟化系统中,制定虚拟化环境中虚拟机之间通信的安全访问控制机制,提出V-MGSM模型并给出数据解释、完整性性质、操作指令和安全性证明;3.在KVM虚拟机平台下,给出了虚拟机访问控制机制的实现过程以及测试结果,通过演示结果我们得出结论:我们提出的V-MGSM模型是正确且安全的。
[Abstract]:In today's society, information has become a very important strategic resource, so the information security and security ability of a country also becomes a good reflection of its comprehensive national strength. On the one hand, since the level of science and technology and information technology are at the stage of unprecedented prosperity, the information industry has become the first-largest industry in the world today; on the other hand, the frequency of the event of information security is increasing, and the problem of information security is urgent. With the development of the Internet, especially the emergence of network applications such as cloud computing and distributed system, people's life becomes more and more convenient because more and more data can be obtained from the network. As the people's dependence on the network is gradually enhanced, the security requirements of the data obtained in the network are becoming more and more high. At the same time, cloud computing provides a more open and more interactive network environment due to virtualization technology as one of the key technologies for building their infrastructure, and people are increasingly inclined to get all the required data and information from the cloud computing network. Because the cloud computing network is different from the traditional network system, and the traditional access control technology such as the firewall is difficult to prevent the attack of the active leakage and the malicious Trojan horse, the traditional access control technology cannot be completely applied to the virtualized environment. Therefore, how to enable the data in the virtualized environment to be fully shared and to realize the strict access control is a difficult problem to be overcome in the present time. In general, the security access control model for a conventional system is mainly controlled by setting user rights for data access. Such an access control mechanism makes the management control of the data excessively dependent on the user, resulting in an attack that causes the system to be attacked not only by some external attackers, but sometimes from some internal users. In order to overcome the disadvantages of this access control mechanism, the multi-level security model comes into being. The multi-level security model utilizes the management mechanism of the user and the data to separate the autonomous access control of the data to the mandatory access control, so that the security access control of the data is realized to a certain extent. So far, many multi-level security models have been used in different environments, such as army, commerce, etc., but often because of the inrationality and fuzziness of the model semantics, the utility support is not enough, and the application is not wide. In this paper, on the basis of multi-level relationship model MLR, a general-purpose entity-based multi-level relationship model E-MLR model is proposed. In the E-MLR model, we re-define the semantics and the statement operations to ensure secure isolation between different entities within a traditional network, as well as secure communications within the entity. Then, using the KVM virtual machine as the research reference environment, the E-MLR model is extended in the virtualized environment, and the virtual multi-level packet safety model V-MGSM is put forward for the data access security requirement between the virtual machines. The purpose of the invention is to group the virtual machine according to the corresponding entity, and is used for controlling different groups, and the communication process between the virtual machines in the same group and the memory sharing problem in the virtualized environment. On the basis of this, this paper gives the implementation of the access control mechanism in the KVM environment of the virtualization platform and the test results. It mainly includes the following contents: 1. Based on the MLR model, a general-purpose entity-based multi-level relationship model, E-MLR, is proposed to re-define the semantic of the data and put forward the idea of data borrowing. then, four general data operation instructions are defined so as to realize that the low-level user cannot modify the target of the high-level user view, and finally the purpose of system information security is achieved; The universal E-MLR model is extended into a virtualization system, and a secure access control mechanism for communication among virtual machines in a virtualized environment is established, a V-MGSM model is proposed and data interpretation, an integrity property, an operation instruction and a security certificate are provided; Under the KVM virtual machine platform, the implementation process and the test result of the virtual machine access control mechanism are given, and the result of the demonstration is that the V-MGSM model we propose is correct and safe.
【学位授予单位】:西安电子科技大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
[Abstract]:In today's society, information has become a very important strategic resource, so the information security and security ability of a country also becomes a good reflection of its comprehensive national strength. On the one hand, since the level of science and technology and information technology are at the stage of unprecedented prosperity, the information industry has become the first-largest industry in the world today; on the other hand, the frequency of the event of information security is increasing, and the problem of information security is urgent. With the development of the Internet, especially the emergence of network applications such as cloud computing and distributed system, people's life becomes more and more convenient because more and more data can be obtained from the network. As the people's dependence on the network is gradually enhanced, the security requirements of the data obtained in the network are becoming more and more high. At the same time, cloud computing provides a more open and more interactive network environment due to virtualization technology as one of the key technologies for building their infrastructure, and people are increasingly inclined to get all the required data and information from the cloud computing network. Because the cloud computing network is different from the traditional network system, and the traditional access control technology such as the firewall is difficult to prevent the attack of the active leakage and the malicious Trojan horse, the traditional access control technology cannot be completely applied to the virtualized environment. Therefore, how to enable the data in the virtualized environment to be fully shared and to realize the strict access control is a difficult problem to be overcome in the present time. In general, the security access control model for a conventional system is mainly controlled by setting user rights for data access. Such an access control mechanism makes the management control of the data excessively dependent on the user, resulting in an attack that causes the system to be attacked not only by some external attackers, but sometimes from some internal users. In order to overcome the disadvantages of this access control mechanism, the multi-level security model comes into being. The multi-level security model utilizes the management mechanism of the user and the data to separate the autonomous access control of the data to the mandatory access control, so that the security access control of the data is realized to a certain extent. So far, many multi-level security models have been used in different environments, such as army, commerce, etc., but often because of the inrationality and fuzziness of the model semantics, the utility support is not enough, and the application is not wide. In this paper, on the basis of multi-level relationship model MLR, a general-purpose entity-based multi-level relationship model E-MLR model is proposed. In the E-MLR model, we re-define the semantics and the statement operations to ensure secure isolation between different entities within a traditional network, as well as secure communications within the entity. Then, using the KVM virtual machine as the research reference environment, the E-MLR model is extended in the virtualized environment, and the virtual multi-level packet safety model V-MGSM is put forward for the data access security requirement between the virtual machines. The purpose of the invention is to group the virtual machine according to the corresponding entity, and is used for controlling different groups, and the communication process between the virtual machines in the same group and the memory sharing problem in the virtualized environment. On the basis of this, this paper gives the implementation of the access control mechanism in the KVM environment of the virtualization platform and the test results. It mainly includes the following contents: 1. Based on the MLR model, a general-purpose entity-based multi-level relationship model, E-MLR, is proposed to re-define the semantic of the data and put forward the idea of data borrowing. then, four general data operation instructions are defined so as to realize that the low-level user cannot modify the target of the high-level user view, and finally the purpose of system information security is achieved; The universal E-MLR model is extended into a virtualization system, and a secure access control mechanism for communication among virtual machines in a virtualized environment is established, a V-MGSM model is proposed and data interpretation, an integrity property, an operation instruction and a security certificate are provided; Under the KVM virtual machine platform, the implementation process and the test result of the virtual machine access control mechanism are given, and the result of the demonstration is that the V-MGSM model we propose is correct and safe.
【学位授予单位】:西安电子科技大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
【相似文献】
相关期刊论文 前10条
1 钮小勇;韩桂明;;访问控制机制在数据库中的应用研究[J];科技传播;2010年21期
2 徐小龙;窦孝晨;;一种对等社区网络多层次可靠访问控制机制[J];计算机技术与发展;2011年04期
3 关德君;王吉;;基于角色的访问控制机制在考试系统中的研究与应用[J];科技信息;2013年09期
4 郑卫斌,张德运,李胜磊;防火墙的动态访问控制机制[J];计算机工程与应用;2003年32期
5 雷芸;刘恒;;用动态代理实现网上考试系统的访问控制机制[J];玉林师范学院学报(自然科学版);2007年03期
6 张志军;郭渊博;刘伟;吕金娜;袁顺;;容忍入侵服务器中组通信认证与访问控制机制[J];计算机工程与设计;2009年21期
7 刘波;郭少辉;陈晖;王海涛;陈磊;;数据统一访问中访问控制机制的研究[J];军事通信技术;2013年03期
8 赵洪彪;;访问控制机制概述[J];计算机安全;2002年12期
9 韩兰胜,刘辉;基于角色的访问控制中角色的划分[J];湖北工学院学报;2002年03期
10 黄昆;;认证和授权体系趋于统一[J];中国计算机用户;2007年42期
相关会议论文 前4条
1 周钢;;操作系统访问控制机制的安全性分析和测试[A];第14届全国计算机安全学术交流会论文集[C];1999年
2 尚卫卫;张卫民;;一种气象领域的安全模型及其访问控制机制[A];2010年全国通信安全学术会议论文集[C];2010年
3 吴波;戴跃发;顾亚强;;SOA环境下访问控制机制研究[A];中国电子学会第十六届信息论学术年会论文集[C];2009年
4 周集良;王正华;;基于CIST的访问控制器设计与实现[A];第十九次全国计算机安全学术交流会论文集[C];2004年
相关重要报纸文章 前4条
1 ;发布新框架以改善云服务[N];网络世界;2013年
2 《网络世界》记者 于翔;CA AppLogic 3.0快速构建云应用[N];网络世界;2012年
3 李瀛寰;3Com推出第三层无线LAN安全解决方案[N];中国计算机报;2000年
4 CPW记者 曾宪勇;Sinfor M5100-AC访问控制机制完善[N];电脑商报;2005年
相关博士学位论文 前3条
1 程勇;云存储中密文访问控制机制性能优化关键技术研究[D];国防科学技术大学;2013年
2 颜学雄;Web服务访问控制机制研究[D];解放军信息工程大学;2008年
3 涂山山;云计算环境中访问控制的机制和关键技术研究[D];北京邮电大学;2014年
相关硕士学位论文 前10条
1 薛莹芳;虚拟化环境下安全多级访问控制机制研究与实现[D];西安电子科技大学;2014年
2 马佳敏;基于固件的虚拟化系统集成访问控制机制研究与实现[D];上海交通大学;2014年
3 李y浻,
本文编号:2363530
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2363530.html
