Xen无干扰安全策略模型及安全机制研究
发布时间:2019-04-20 07:29
【摘要】:随着计算机技术的发展,虚拟化技术作为云计算最重要的支撑技术成为近年来的研究热点。在众多虚拟化技术中,Xen以其优越的性能和开源性受到业界广泛认同。Xen是一种系统虚拟机(Systerm Virtual Machine,SVM),负责管理和控制系统中所有软硬件资源,并为其上并发运行的多个虚拟机提供相互隔离的运行环境。但是,如果Xen被破坏,则会危及其上运行的所有虚拟机,造成严重的损失。因此,,Xen虚拟机安全就成为近年来研究的重点。 本文重点研究Xen虚拟机的安全策略模型和安全机制,主要工作有以下四点: 1、提出了一种最小特权无干扰安全策略模型(Non-inference Security Poliycy Model withLeast Privilege,LPNIM)。利用Roscoe无干扰理论和通信进程代数CSP(CommunicatingSequential Processes)对模型进行了形式化描述,并基于Roscoe惰性抽象、确定性及Schneider阶函数等相关理论对模型的隔离和共享策略进行了形式化证明。该模型利用最小特权原则的思想,通过实施分区级和主体资源级两级策略,使机密性无干扰安全策略模型和完整性无干扰安全策略模型有机结合,满足了系统机密性、完整性和最小特权需求。 2、构建了一个安全增强的Xen虚拟机体系结构(Security-Enhanced Xen,SEXen)。SEXen基于LPNIM,对现有Xen体系结构进行修改,增加了网络域、可信启动模块(Trusted LaunchModule, TLM)和细粒度强制访问控制模块(Finer-grained Mandatory Access Control Module,FMACM)。SEXen简化了Dom0特权域的操作,满足了模型对可信度量能力和最小特权信息流控制能力的需求。 3、实现了从开机到虚拟机启动的可信启动机制。基于动态可信度量技术,设计了启动控制策略,保证了只有度量成功,且提供正确的密钥时,才可以启动虚拟机。该机制提供了对系统初始状态完整性的保护,并阻止了SMM(System Management Mode)绕过攻击。 4、实现了细粒度的信息流访问控制机制。通过修改Xen Hypervisor内核和Guest OS内核,可以实现对虚拟机间和虚拟机内部操作的控制,以保证只有在满足虚拟机级和主体资源级两级安全策略的前提下,上述操作才能执行。该机制实现了最小特权信息流控制和安全策略的集中统一管理。
[Abstract]:With the development of computer technology, virtualization, as the most important supporting technology of cloud computing, has become a hot research topic in recent years. Among the many virtualization technologies, Xen is widely recognized by the industry for its superior performance and open source. Xen is a system virtual machine (Systerm Virtual Machine,SVM, which is responsible for managing and controlling all hardware and software resources in the system. It also provides an isolated running environment for multiple virtual machines running concurrently on the virtual machine. However, if Xen is destroyed, it will endanger all virtual machines running on it and cause serious losses. Therefore, Xen virtual machine security has become the focus of research in recent years. This paper focuses on the security policy model and security mechanism of Xen virtual machine. The main work is as follows: 1. A minimum privilege non-interference security policy model (Non-inference Security Poliycy Model withLeast Privilege,LPNIM) is proposed. The model is formally described by Roscoe non-interference theory and communication process algebra CSP (CommunicatingSequential Processes), and the isolation and sharing strategy of the model is formally proved based on Roscoe inert abstraction, certainty and Schneider order function. The model makes use of the principle of minimum privilege and implements the two-level policy of partition level and principal resource level, which combines the confidentiality non-interference security policy model and the integrity non-interference security policy model organically, and satisfies the confidentiality of the system. Integrity and minimum privilege requirements. 2, build a security enhanced Xen virtual machine architecture (Security-Enhanced Xen,SEXen). SEXen modifies the existing Xen architecture based on LPNIM, adding network domain and trusted boot module (Trusted LaunchModule,. TLM) and fine-grained mandatory access control module (Finer-grained Mandatory Access Control Module,FMACM). SEXen simplifies the operation of Dom0 privilege domain and satisfies the requirements of the model for trust measurement and minimum privileged information flow control. Thirdly, the trusted boot mechanism from boot to virtual machine is realized. Based on the dynamic trusted metric technology, the startup control strategy is designed, which ensures that the virtual machine can only be started when the metric is successful and the correct key is provided. This mechanism provides protection for the integrity of the initial state of the system and prevents SMM (System Management Mode) from bypassing attacks. 4, the fine-grained information flow access control mechanism is implemented. By modifying the Xen Hypervisor kernel and the Guest OS kernel, the control of the operation between and within the virtual machine can be realized, so as to ensure that the above operations can only be performed on the premise of satisfying the security policy of the virtual machine level and the principal resource level. This mechanism realizes the minimum privilege information flow control and the centralized and unified management of the security policy.
【学位授予单位】:解放军信息工程大学
【学位级别】:硕士
【学位授予年份】:2012
【分类号】:TP302
本文编号:2461409
[Abstract]:With the development of computer technology, virtualization, as the most important supporting technology of cloud computing, has become a hot research topic in recent years. Among the many virtualization technologies, Xen is widely recognized by the industry for its superior performance and open source. Xen is a system virtual machine (Systerm Virtual Machine,SVM, which is responsible for managing and controlling all hardware and software resources in the system. It also provides an isolated running environment for multiple virtual machines running concurrently on the virtual machine. However, if Xen is destroyed, it will endanger all virtual machines running on it and cause serious losses. Therefore, Xen virtual machine security has become the focus of research in recent years. This paper focuses on the security policy model and security mechanism of Xen virtual machine. The main work is as follows: 1. A minimum privilege non-interference security policy model (Non-inference Security Poliycy Model withLeast Privilege,LPNIM) is proposed. The model is formally described by Roscoe non-interference theory and communication process algebra CSP (CommunicatingSequential Processes), and the isolation and sharing strategy of the model is formally proved based on Roscoe inert abstraction, certainty and Schneider order function. The model makes use of the principle of minimum privilege and implements the two-level policy of partition level and principal resource level, which combines the confidentiality non-interference security policy model and the integrity non-interference security policy model organically, and satisfies the confidentiality of the system. Integrity and minimum privilege requirements. 2, build a security enhanced Xen virtual machine architecture (Security-Enhanced Xen,SEXen). SEXen modifies the existing Xen architecture based on LPNIM, adding network domain and trusted boot module (Trusted LaunchModule,. TLM) and fine-grained mandatory access control module (Finer-grained Mandatory Access Control Module,FMACM). SEXen simplifies the operation of Dom0 privilege domain and satisfies the requirements of the model for trust measurement and minimum privileged information flow control. Thirdly, the trusted boot mechanism from boot to virtual machine is realized. Based on the dynamic trusted metric technology, the startup control strategy is designed, which ensures that the virtual machine can only be started when the metric is successful and the correct key is provided. This mechanism provides protection for the integrity of the initial state of the system and prevents SMM (System Management Mode) from bypassing attacks. 4, the fine-grained information flow access control mechanism is implemented. By modifying the Xen Hypervisor kernel and the Guest OS kernel, the control of the operation between and within the virtual machine can be realized, so as to ensure that the above operations can only be performed on the premise of satisfying the security policy of the virtual machine level and the principal resource level. This mechanism realizes the minimum privilege information flow control and the centralized and unified management of the security policy.
【学位授予单位】:解放军信息工程大学
【学位级别】:硕士
【学位授予年份】:2012
【分类号】:TP302
【参考文献】
相关期刊论文 前2条
1 谢钧;黄皓;;一个非确定系统的不干扰模型[J];软件学报;2006年07期
2 刘威鹏;张兴;;基于非传递无干扰理论的二元多级安全模型研究[J];通信学报;2009年02期
本文编号:2461409
本文链接:https://www.wllwen.com/kejilunwen/jisuanjikexuelunwen/2461409.html
