基于SGX的虚拟网络功能安全保护机制研究
发布时间:2019-06-17 18:11
【摘要】:网络功能虚拟化(NFV)是一种利用虚拟化技术来减少硬件依赖的更灵活简单的网络发展模式。NFV的最终目标是,通过基于行业标准的x86服务器、存储和交换设备,来取代通信网的那些私有专用的网元设备。然而,NFV利用云计算和虚拟化技术为新一代网络业务提供更好的伸缩性和自动化能力的同时,也面临着虚拟化和网络基础设施带来的一些重大安全威胁。针对NFV目前面临的一个主要的问题,就是如何为虚拟网络功能(VNF)构建一个可信的执行环境,确保虚拟网络功能实例运行的安全。我们提出一种基于Intel SGX技术的虚拟网络功能安全保护机制。该机制利用了 SGX技术的内存隔离、安全认证等特性,通过多个安全模块的整合来保障NFV平台上VNF实例的安全。该保护机制中利用SGX内存隔离及密封特性对虚拟机上独立运行的VNF实例进行隔离保护,确保它启动及运行时的安全,同时支持VNF实例的恢复;基于SGX安全远程认证特性,对虚拟机上运行的VNF实例进行统一的安全认证和密钥管理,并扩展虚拟网络功能之间的安全通信,以及平台的信息采集和规则策略安全下发的功能。最后,基于QEMU-KVM架构实现了该安全保护模型,并对该框架中的关键技术进行了详细的设计和描述。实验及分析表明,该安全保护框架能够为VNF实例提供一个安全运行,认证以及管理的可信保护环境。同时,SGX技术引入为VNF实例的运行、安全认证及安全通信带来较小的开销。
[Abstract]:Network functional virtualization (NFV) is a more flexible and simple network development mode which uses virtualization technology to reduce hardware dependency. The ultimate goal of (NFV) is to replace the private network element devices of communication networks through industry-standard x86 servers, storage and switching devices. However, while NFV uses cloud computing and virtualization technology to provide better scalability and automation for the next generation of network services, it is also facing some major security threats posed by virtualization and network infrastructure. One of the main problems faced by NFV at present is how to build a trusted execution environment for virtual network function (VNF) to ensure the security of virtual network function instances. We propose a virtual network functional security protection mechanism based on Intel SGX technology. This mechanism makes use of the memory isolation and security authentication of SGX technology to ensure the security of VNF instances on NFV platform through the integration of multiple security modules. In this protection mechanism, the SGX memory isolation and sealing characteristics are used to isolate and protect the VNF instance running independently on the virtual machine to ensure the security of its startup and run, and to support the recovery of the VNF instance at the same time. Based on the SGX security remote authentication characteristic, the VNF instance running on the virtual machine is unified security authentication and key management, and the security communication between the virtual network functions, as well as the function of information collection and rule policy security distribution of the platform are extended. Finally, the security protection model is implemented based on QEMU-KVM architecture, and the key technologies in the framework are designed and described in detail. Experiments and analysis show that the security protection framework can provide a trusted protection environment for VNF instances to operate, authenticate and manage safely. At the same time, the introduction of SGX technology brings less overhead for the operation of VNF instance, security authentication and secure communication.
【学位授予单位】:武汉大学
【学位级别】:硕士
【学位授予年份】:2017
【分类号】:TP309
本文编号:2501163
[Abstract]:Network functional virtualization (NFV) is a more flexible and simple network development mode which uses virtualization technology to reduce hardware dependency. The ultimate goal of (NFV) is to replace the private network element devices of communication networks through industry-standard x86 servers, storage and switching devices. However, while NFV uses cloud computing and virtualization technology to provide better scalability and automation for the next generation of network services, it is also facing some major security threats posed by virtualization and network infrastructure. One of the main problems faced by NFV at present is how to build a trusted execution environment for virtual network function (VNF) to ensure the security of virtual network function instances. We propose a virtual network functional security protection mechanism based on Intel SGX technology. This mechanism makes use of the memory isolation and security authentication of SGX technology to ensure the security of VNF instances on NFV platform through the integration of multiple security modules. In this protection mechanism, the SGX memory isolation and sealing characteristics are used to isolate and protect the VNF instance running independently on the virtual machine to ensure the security of its startup and run, and to support the recovery of the VNF instance at the same time. Based on the SGX security remote authentication characteristic, the VNF instance running on the virtual machine is unified security authentication and key management, and the security communication between the virtual network functions, as well as the function of information collection and rule policy security distribution of the platform are extended. Finally, the security protection model is implemented based on QEMU-KVM architecture, and the key technologies in the framework are designed and described in detail. Experiments and analysis show that the security protection framework can provide a trusted protection environment for VNF instances to operate, authenticate and manage safely. At the same time, the introduction of SGX technology brings less overhead for the operation of VNF instance, security authentication and secure communication.
【学位授予单位】:武汉大学
【学位级别】:硕士
【学位授予年份】:2017
【分类号】:TP309
【参考文献】
相关期刊论文 前3条
1 郭志斌;陈扬帆;刘露;;NFV安全需术及应对策略[J];电信科学;2016年03期
2 余秦勇;童斌;陈林;;虚拟化安全综述[J];信息安全与通信保密;2012年11期
3 甘宏;潘丹;;虚拟化系统安全的研究与分析[J];信息网络安全;2012年05期
,本文编号:2501163
本文链接:https://www.wllwen.com/kejilunwen/ruanjiangongchenglunwen/2501163.html
