云计算可信客户域关键技术研究

发布时间：2017-12-31 00:46

  本文关键词：云计算可信客户域关键技术研究　出处：《北京交通大学》2016年博士论文　论文类型：学位论文

  更多相关文章： 云计算 可信计算 虚拟化 完整性度量 域外监控

【摘要】：云计算是一种新兴的基于互联网的计算方式和服务模式,是多种计算技术和网络技术融合的产物,也是近年来学术界和产业界研究的热点。凭借便利、易扩展和按需计费等优点,越来越多的企业和公众开始接受和使用云计算。云计算服务的租户需要将自己的数据和应用部署到云中,这将使数据和应用存在被攻击者非法读取或破坏的可能性。与此同时,租户也失去了对这些数据和应用的绝对控制,这使他们对云计算的安全问题更加担心。如何建立安全和可信的云计算服务、增强租户对云计算服务提供商的信任、使租户在云中部署的应用能够按照自己的期望运行已经成为云计算发展中亟待解决的问题。本文主要研究如何建立云计算中可信的基础设施即服务(IaaS),为租户提供可信的客户域。其核心是对客户域及其所在的计算平台进行完整性度量,使租户能够通过远程证明等方法判断它们的状态是否与预期相同。通过将可信计算和虚拟化技术相结合,本文提出并实现了适用于不同环境的三种可信客户域建立方案,具体包括：(1)提出了基于信任传递的可信客户域建立方案,即建立从硬件安全芯片到客户域应用程序的信任链,度量和记录可能影响客户域及其所在计算平台完整性的实体。针对现有信任传递模型无法准确描述信任传递过程和保护客户域隐私的问题,提出了适用于虚拟化计算平台的客户域信任传递模型；针对信任传递过程中缺失的环节,提出了由租户控制的客户域可信引导程序Trusted pyGRUB;针对云计算服务对租户隐藏了云中的细节使租户无法直接感知计算平台及其完整性状态的问题,提出了远程证明代理协议,协助租户通过代理验证计算平台和客户域是否可信。(2)针对前述方案中存在的验证过程较为复杂、过度依赖操作系统的安全机制、度量的文件不完备等问题,提出并实现了基于域外监控的可信客户域建立方案OB-IMA.该方案的优势有：基于虚拟机自省技术,不依赖客户域操作系统的安全机制,因而不易被攻击和旁路,具有更好的安全性；该方案对客户域完全透明,不需要对客户域操作系统做任何修改,具有更好的适用性；该方案对文件的度量能同时支持系统策略和用户策略，，具有更好的灵活性。和其他域外监控类方案相比,该方案能够对内核空间的行为所涉及的文件进行度量,还能够对不具有执行权限的配置文件和脚本文件等进行度量,具有更好的度量能力。(3)针对OB-IMA方案无法有效地支持使用Windows等内核不完全开源的操作系统的客户域等问题,提出并实现了基于域内外协同监控的可信客户域建立方案Coiob-IMA.该方案通过位于客户域中的采集模块和客户域外的度量模块等协同工作、预先度量和实时度量相结合,不仅能够实现对使用Windows操作系统的客户域的完整性度量,还有效解决了信息遗失和语义空白等问题。为此提出了度量区域和度量区域可信扩展等概念,通过确定操作序列的相关特性来保证预先度量的安全性;提出了一种高效的基于事件机制的域间信息传输方法,降低了对系统性能的影响；提出了一种细粒度的注册表配置度量方法,实现对客户域系统配置的完整性度量。综上所述,本文提出了多种可信客户域的建立方案,这些方案能够适用于多种虚拟化计算平台和客户域操作系统,对实现可信IaaS服务、保护租户在客户域中所部署的应用的完整性具有实际意义。
[Abstract]:Cloud computing is a computing mode and service mode based on Internet is emerging, many kinds of computing integration technology and network technology, is also a hot research in academia and industry in recent years. With convenient, easy to expand and on-demand billing and other advantages, more and more enterprises and the public began to accept and use of cloud computing. The tenants of cloud computing services will need to deploy their data and applications to the cloud, which will enable the data and application by the attacker or destroy the possibility of illegal access. At the same time, the tenants also lost the data and application of absolute control, which makes them the security problem of cloud computing security and how to build more worried. Trusted cloud computing services, cloud computing service providers to enhance the tenant's trust, the tenants in the cloud application deployment according to their expected running has become the development of cloud computing The problem to be solved. This paper mainly studies how to build the cloud computing infrastructure as a service (IaaS) credible, trusted to provide customer domain tenants. Its core is the integrity measurement calculation platform for customers and their domain, so that tenants can through remote attestation method to determine whether their status as expected through the trusted computing and virtualization technology, this paper proposed and implemented for three trusted client domain in different environment establishment scheme, including: (1) put forward the scheme of establishing customer trusted domain trust based on trust chain transfer, namely the establishment from the hardware security chip to the client domain application, measurement and record the integrity of the computing platform may affect the customer and the entity domain. For the existing trust transfer model cannot accurately describe the trust transfer process and the protection of customer privacy problem domain,. The client domain for virtualization computing trust transfer model; for lack of trust transfer process proposed by the customer domain trusted boot program Trusted pyGRUB control for tenants; cloud computing services to tenants hidden details make the cloud computing platform and its tenants cannot perceive the integrity status of the problem, put forward the remote attestation agency agreement, to assist tenants through proxy authentication computing platform and customer domain is credible. (2) according to the scheme in the verification process is more complex, excessive dependence on operating system security mechanism, measurement of file is not complete, proposed and implemented the scheme of establishing OB-IMA. domain monitoring scheme for trusted customers abroad based on the advantages of virtual machine introspection technology based on security mechanism does not rely on the client domain operating system, so it is not easy to be attacked and bypass, with more Good safety; the program is completely transparent to the client domain, do not need to make any changes to the customer domain operating system, has a better applicability; the scheme of measurement and file support system and user policy, has better flexibility. And other foreign monitoring scheme, the scheme can be involved in the kernel space behavior of the file can not measure, execute permissions configuration files such as metric, metric has better ability. (3) according to the OB-IMA scheme can effectively support the use of Windows operating system kernel is not entirely open source domains and other issues, put forward and implement a trusted client domain cooperative monitoring based on collaborative work by customers located in the domain of the acquisition module and client module scheme of Coiob-IMA. metric outside the scheme establishment, pre measurement and Real time measurement of the combination of integrity can not only realize the customer domain to use the Windows operating system to measure, but also an effective solution to the information loss and semantic gaps and other issues. This paper proposes the concept of regional measure and measure regional trusted extensions, to ensure the security of the pre measurement by determining the sequence of operations is put forward; a method of information transmission mechanism between domains based on efficiency, reduce the influence on the performance of the system; put forward a measure of fine grained registry configuration, to achieve the integrity of customer domain system configuration. To sum up, this thesis offers a trusted client domain establishment scheme, this scheme can be applied to a variety of virtual computing platform and operating system to achieve the customer domain, trusted IaaS service, the integrity of the application to protect tenants in the customer deployment in the domain has practical significance.

【学位授予单位】：北京交通大学
【学位级别】：博士
【学位授予年份】：2016
【分类号】：TP393.09;TP309

【相似文献】

相关期刊论文 前10条

1 Global Advisor of GreaterChinaCRM;;度量和建立合作伙伴满意度、忠诚度从而不断带来收益[J];数码世界;2004年16期

2 冯惠珠;;前言[J];航天电子对抗;1986年S1期

3 乐建兵;杨建梅;赵海霞;;软件开发中的度量技术应用[J];科技管理研究;2006年01期

4 魏明侠;卓越制造绩效度量方法的探析[J];科技进步与对策;2000年03期

5 刘颖华;;关于度量和加法教学的几点做法[J];现代教学;2014年05期

6 长弓;怎样度量信息[J];中国培训;1995年01期

7 弓惠生;;软件设计复杂性度量[J];计算机研究与发展;1992年03期

8 邱昭良;量信息化之体裁IT之衣——信息技术(IT)价值度量[J];软件世界;2002年06期

9 伦立军,丁雪梅,李英梅;路径复杂性度量研究[J];计算机应用与软件;2004年04期

10 王欣,沈备军,楼松斋,董辉明;一个面向C++的度量工具的设计与实现[J];华东理工大学学报;2000年05期

相关会议论文 前2条

1 彭学明;;八、行为价值的度量与监督机制研究[A];2010中国国有经济发展论坛暨“中国经济发展方式转变与国有经济战略调整”学术研讨会论文集[C];2010年

2 李宣东;;基于认识与理解途径的软件可信性度量与评估[A];第五届中国测试学术会议论文集[C];2008年

相关重要报纸文章 前5条

1 刘庆;详解“KPI”[N];网络世界;2006年

2 甘肃总队白银支队 张琳;度量里面有团结[N];人民武警;2008年

3 上海社会科学院部门经济研究所研究员 胡晓鹏;讨论“货币超发”不可“情绪化”[N];文汇报;2011年

4 郑也夫;卖地寻根,医病治本[N];南方周末;2010年

5 刘培林国务院发展研究中心发展部;气候变暖:经济学的应对之道[N];中国社会科学报;2010年

相关博士学位论文 前10条

1 邢彬;云计算可信客户域关键技术研究[D];北京交通大学;2016年

2 邹洋杨;（α，β）-度量的广义独角兽问题和重要共形性质[D];西南大学;2014年

3 刘小莉;商业银行信用风险与利率风险的联合度量研究[D];复旦大学;2006年

4 田萍;金融风险存在与度量最新进展研究[D];吉林大学;2005年

5 王微;融合全局和局部信息的度量学习方法研究[D];中国科学技术大学;2014年

6 李本伶;关于某些重要的Finsler度量[D];浙江大学;2007年

7 於耀勇;某些射影平坦的Finsler度量和射影相关的Randers度量[D];浙江大学;2007年

8 翟德明;多视度量和回归学习方法及应用研究[D];哈尔滨工业大学;2014年

9 陈滨;关于Finsler几何中的一类临界度量及Randers度量[D];浙江大学;2008年

10 朱俊鹏;金融稳定的度量及分析[D];中国科学技术大学;2013年

相关硕士学位论文 前10条

1 吴亚东;某些特殊Finsler度量的射影性质[D];宁波大学;2015年

2 陈艺文;Finsler几何中的几类特殊度量[D];宁波大学;2015年

3 杨s

本文编号：1357317