IaaS云平台安全加固分析与实现
发布时间:2019-02-17 09:52
【摘要】:云计算时代云安全重要性日益凸显。一方面,云计算模式的本质是数据所有权与管理权的分离。在客观上云管理员可滥用特权窃取用户隐私数据。另一方面,IaaS云平台是整个云计算的基础层,在IaaS层每个组件的配置及系统构建的漏洞都可能影响整个云环境的安全运行。首先,本文梳理国内外相关研究工作中的主要技术路线,其中包括云平台权限细粒度划分、云平台执行时仲裁、云模式下追溯与问责、IaaS云平台安全配置四个方面。之后,为揭示IaaS云计算模式下管理权限划分模糊、特权行为滥用误用、IaaS云平台配置漏洞等问题,通过对当前主流云平台(如OpenStack、VMwarevSphere、QEMU+KVM、XEN)的体系结构、权限划分、日志审计等方面梳理与分析,本文真实实现了五例恶意云管理员从IaaS云平台中窃取用户数据的攻击实例。本论文针对IaaS云平台安全加固的研究与实现工作分为两部分,一方面,进行IaaS云平台特权行为的管控与审计,即基于IaaS云平台API,进行细粒度权限划分、角色定义、特权操作拦截复核与审计。另一方面,进行IaaS云平台安全配置检查与加固,即基于IaaS云平台配置,进行IaaS云平台的安全配置检查与加固修复。实验表明,针对OpenStack、VMwarevSphere云平台,基于IaaS云平台API的特权行为管控与审计系统实现了对以上两类云平台细粒度权限划分、无缝适配、特权管控与日志审计功能,并在性能上保证用户的正常操作响应时间;对OpenStack、VMwarevSphere云平台安全配置加固减少了受攻击面,保证IaaS云平台安全运行。
[Abstract]:Cloud security is becoming more and more important in cloud computing era. On the one hand, the essence of cloud computing mode is the separation of data ownership and management. Objectively, cloud administrators can abuse their privileges to steal user privacy data. On the other hand, the IaaS cloud platform is the basic layer of the whole cloud computing. The configuration of each component and the vulnerability of system construction in the IaaS layer may affect the security of the whole cloud environment. First of all, this paper combs the main technical routes of related research work at home and abroad, including fine granularity partition of cloud platform authority, cloud platform execution arbitration, traceability and accountability under cloud mode, and IaaS cloud platform security configuration. Then, in order to reveal the fuzzy division of management authority in IaaS cloud computing mode, misuse of privilege behavior, configuration vulnerabilities of IaaS cloud platform and so on, through the current mainstream cloud platform (such as OpenStack,VMwarevSphere,QEMU KVM,XEN) system structure, privilege division, In this paper five instances of malicious cloud administrator stealing user data from IaaS cloud platform are implemented. In this paper, the research and implementation of IaaS cloud platform security reinforcement is divided into two parts. On the one hand, the privilege behavior of IaaS cloud platform is controlled and audited, that is, fine-grained privilege division and role definition based on IaaS cloud platform API,. Privileged operation intercept review and audit. On the other hand, the IaaS cloud platform security configuration inspection and reinforcement, that is, based on the IaaS cloud platform configuration, IaaS cloud platform security configuration inspection and reinforcement repair. The experiment shows that the privilege behavior control and audit system based on API of IaaS cloud platform realizes the fine granularity privilege partition, seamless adaptation, privilege control and log audit function for OpenStack,VMwarevSphere cloud platform. And in the performance to ensure the user's normal operation response time; The security configuration of OpenStack,VMwarevSphere cloud platform can reduce the attack surface and ensure the safe operation of IaaS cloud platform.
【学位授予单位】:北京邮电大学
【学位级别】:硕士
【学位授予年份】:2017
【分类号】:TP393.08
本文编号:2425038
[Abstract]:Cloud security is becoming more and more important in cloud computing era. On the one hand, the essence of cloud computing mode is the separation of data ownership and management. Objectively, cloud administrators can abuse their privileges to steal user privacy data. On the other hand, the IaaS cloud platform is the basic layer of the whole cloud computing. The configuration of each component and the vulnerability of system construction in the IaaS layer may affect the security of the whole cloud environment. First of all, this paper combs the main technical routes of related research work at home and abroad, including fine granularity partition of cloud platform authority, cloud platform execution arbitration, traceability and accountability under cloud mode, and IaaS cloud platform security configuration. Then, in order to reveal the fuzzy division of management authority in IaaS cloud computing mode, misuse of privilege behavior, configuration vulnerabilities of IaaS cloud platform and so on, through the current mainstream cloud platform (such as OpenStack,VMwarevSphere,QEMU KVM,XEN) system structure, privilege division, In this paper five instances of malicious cloud administrator stealing user data from IaaS cloud platform are implemented. In this paper, the research and implementation of IaaS cloud platform security reinforcement is divided into two parts. On the one hand, the privilege behavior of IaaS cloud platform is controlled and audited, that is, fine-grained privilege division and role definition based on IaaS cloud platform API,. Privileged operation intercept review and audit. On the other hand, the IaaS cloud platform security configuration inspection and reinforcement, that is, based on the IaaS cloud platform configuration, IaaS cloud platform security configuration inspection and reinforcement repair. The experiment shows that the privilege behavior control and audit system based on API of IaaS cloud platform realizes the fine granularity privilege partition, seamless adaptation, privilege control and log audit function for OpenStack,VMwarevSphere cloud platform. And in the performance to ensure the user's normal operation response time; The security configuration of OpenStack,VMwarevSphere cloud platform can reduce the attack surface and ensure the safe operation of IaaS cloud platform.
【学位授予单位】:北京邮电大学
【学位级别】:硕士
【学位授予年份】:2017
【分类号】:TP393.08
【参考文献】
相关期刊论文 前1条
1 刘川意;王国峰;林杰;方滨兴;;可信的云计算运行环境构建和审计[J];计算机学报;2016年02期
,本文编号:2425038
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2425038.html
