云环境下计算资源的可信隔离关键技术研究

发布时间：2018-01-07 01:27

  本文关键词：云环境下计算资源的可信隔离关键技术研究　出处：《北京工业大学》2016年硕士论文　论文类型：学位论文

  更多相关文章： 可信计算 可信隔离 可信度量 可信审计 云计算

【摘要】：随着时代的发展,云计算引起信息技术的获取与服务模式发生革命性变革,它提供高性能计算资源服务和大规模的廉价共享资源,通过虚拟化技术为众多用户构建虚拟资源环境,在当前各个领域得到广泛应用。但是因为在云环境中,用户的数据以及业务流程在物理逻辑上都托管存放于服务商的服务器组上,用户对自身数据的掌控力度较低,由此引发了用户和服务商之间的信任问题。传统的研究方案面临复杂的云环境架构以及云环境中的海量数据很吃力,而且无法解决内部人员对用户重要信息的窃取和破坏。为了构建一个可靠的云环境安全体系,解决云环境的信任和数据安全等问题,提出并实现一种基于可信计算架构的云环境隔离机制,结合云环境自身机制,从隔离的网络架构划分、可信功能在云环境中的执行效率和调用方法以及整个架构中安全消息传递的方法等多个角度提出研究方案,对云环境中虚拟机所使用的资源和虚拟机本身应用环境匹配不同的可信策略完成对云环境的隔离机制。提出多层可信封装机制为应用层的可信管理程序和安全管理程序提供简单事务型接口并完成可信功能的自动化调用。并分别通过实验和流程分析验证相关模型和方案的有效性。主要针对以下方面做了研究:1.针对目前在云环境中信任的缺乏问题,从中国工程院咨询项目《云可信架构研究》提出的可信云思想做出扩展,在云环境基础上引入云安全审计服务器和云服务验证环境服务器来为云环境提供可信方面的支持,并与云环境自身的安全机制结合,根据制定的可信策略从资源和应用层面分别做出隔离划分,并通过可信审计机制给出可信报告,最大程度保证了对云环境的兼容和可控,并保障了云用户和云服务商的信任关系。2.为了引入可信功能而且对云环境本身的程序代码执行效率不产生明显影响,提出了一种多层封装的可信服务接口的可信计算应用调用模式。通过对可信计算中自底向上的五层封装,构建了一个面向应用的可信服务接口的可信计算应用调用模式,规范了应用层对可信计算功能的使用方式,并实现了可信计算功能对应用层的透明支持以及自动化触发。3.为了保证消息在传递过程中的准确性和效率,本文提出一种可信架构的消息传递方法,可以通过消息策略的配置来实现对消息的筛选、分发和加密。保证消息本体不会在传输途中遭到盗取,并根据安全级别对消息的传递效率做了有效分类,从而保证了消息的可靠传输。
[Abstract]:With the development of the times, cloud computing has revolutionized the acquisition and service mode of information technology. It provides high-performance computing resources services and large-scale low-cost shared resources. Using virtualization technology to build virtual resource environment for many users has been widely used in various fields, but in the cloud environment. The user's data and business process are hosted in the server group of the service provider in the physical logic, and the user's control of their own data is low. This leads to the trust problem between users and service providers. Traditional research solutions face complex cloud environment architecture and massive data in the cloud environment is very difficult. In order to build a reliable cloud environment security system and solve the cloud environment trust and data security and other problems. A cloud environment isolation mechanism based on trusted computing architecture is proposed and implemented. The execution efficiency of trusted function in the cloud environment and the method of invoking the method, as well as the method of secure messaging in the whole architecture, etc., are proposed in this paper. The isolation mechanism of cloud environment is implemented by matching different trusted strategies between the resources used by virtual machines in cloud environment and the virtual machine itself. A multi-layer trusted encapsulation mechanism is proposed as a trust manager and security management in application layer. The program provides simple transactional interface and accomplishes the automatic call of trusted function. The validity of related models and schemes is verified by experiment and flow analysis respectively. The following aspects are mainly studied:. 1. Address the current lack of trust in the cloud environment. From the Chinese Academy of Engineering consulting project "cloud trusted architecture research" proposed by the trusted cloud ideas to expand. The cloud security audit server and the cloud service authentication environment server are introduced on the basis of the cloud environment to provide trusted support for the cloud environment and combine with the security mechanism of the cloud environment itself. According to the established trusted strategy, the resources and the application level are separated, and the trusted report is given through the trusted audit mechanism, which ensures the compatibility and controllability of the cloud environment to the greatest extent. The trust relationship between cloud users and cloud service providers is guaranteed. 2. In order to introduce trusted function, it has no obvious effect on the efficiency of program code execution in cloud environment itself. In this paper, a trusted computing application invocation mode based on multi-layer encapsulated trusted service interface is proposed, which is based on the bottom-up five-layer encapsulation of trusted computing. In this paper, a trusted computing application call mode for application trusted service interface is constructed, and the application layer's usage mode of trusted computing function is standardized. In order to ensure the accuracy and efficiency of message delivery, a trusted architecture message passing method is proposed in this paper. Message policy can be configured to filter, distribute and encrypt messages, to ensure that message ontology will not be stolen on the way of transmission, and to effectively classify the transmission efficiency of messages according to the security level. This ensures the reliable transmission of messages.
【学位授予单位】：北京工业大学
【学位级别】：硕士
【学位授予年份】：2016
【分类号】：TP309
，

本文编号：1390398