Chinese Journal of Network and Information Security ›› 2021, Vol. 7 ›› Issue (4): 164-174.doi: 10.11959/j.issn.2096-109x.2021068
• Papers • Previous Articles Next Articles
Guojie LIU1,2, Jianbiao ZHANG1,2, Ping YANG3, Zheng LI1,2
Revised:
2021-04-22
Online:
2021-08-15
Published:
2021-08-01
Supported by:
CLC Number:
Guojie LIU, Jianbiao ZHANG, Ping YANG, Zheng LI. Research on the trusted environment of container cloud based on the TPCM[J]. Chinese Journal of Network and Information Security, 2021, 7(4): 164-174.
"
功能类别 | TPCM | TPM或vTPM |
是否能够保护BIOS固件 | 先于主CPU启动,能够验证BIOS固件 | TPM与vTPM是被动调用,不能验证BIOS固件 |
可信度量时间 | 只需要初始化一次,相对vTPM较短 | vTPM需要每次启动容器是初始化,时间较长 |
是否易受攻击 | 采用物理芯片,作为信任根,不易受攻击 | vTPM容易被恶意篡改 |
是否需要外部保护 | 采用物理芯片,作为信任根,不需要额外保护 | vTPM是虚拟的,作为OS的一个进程,容易被破坏篡改,需要保护 |
远程证明复杂度 | 采用可信度量代理,每个容器根据度量策略,生成一个度量列表,对于同一台主机调用一次TPCM就可以完成验证与证明 | 每个容器对应一个 vTPM,对于同一台主机的多个容器需要调用每一个容器的vTPM进行验证与证明 |
[1] | 张玉清, 王晓菲, 刘雪峰 ,等. 云计算环境安全综述[J]. 软件学报, 2016,27(6): 1328-1348. |
ZHANG Y Q , WANG X F , LIU X F ,et al. Survey on cloud computing security[J]. Journal of Software, 2016,27(6): 1328-1348. | |
[2] | SINGH A , CHATTERJEE K . Cloud security issues and challenges:a survey[J]. Journal of Network and Computer Applications, 2017,79. |
[3] | SINGH S , JEONG Y S , PARK J H . A survey on cloud computing security:issues,threats,and solutions[J]. Journal of Network and Computer Applications, 2016,75. |
[4] | 陈广勇, 祝国邦, 范春玲 . 《信息安全技术网络安全等级保护测评要求》(GB/T 28448-2019)标准解读[J]. 信息网络安全杂志, 2019,19(7): 1-8. |
CHEN G Y , ZHU G B , FAN C L . Information security technology-evaluation requirement for classified protection of cybersecurity (GB/T 28448-2019) standard interpretation[J]. Netinfo Security, 2019,19(7): 1-8. | |
[5] | 吴松, 王坤, 金海 . 操作系统虚拟化的研究现状与展望[J]. 计算机研究与发展, 2019,56(1): 58-68. |
WU S , WANG K , JIN H . Research situation and prospects of operating system virtualization[J]. Journal of Computer Research and Development, 2019,56(1): 58-68. | |
[6] | FELTER W , FERREIRA A , RAJAMONY R ,et al. An updated performance comparison of virtual machines and Linux containers[C]// 2015 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS). 2015. |
[7] | MERKEL D . Docker:lightweight linux containers for consistent development and deployment[J]. Linux Journal, 2014(1): 76-90. |
[8] | BRENDAN B , BRIAN G , DAVID O ,et al. Borg,Omega,and Kubernetes[J]. Communications of the ACM, 2016,59(5): 50-57. |
[9] | SULTAN S , AHMAD I , DIMITRIOU T . Container security:issues,challenges,and the road ahead[J]. IEEE Access, 2019,7(1): 52976-52996. |
[10] | RUI S , GU X H , ENCK W . A study of security vulnerabilities on docker hub[C]// Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy. 2017. |
[11] | THANH B . Analysis of docker security[J]. arXiv preprint arXiv:1501.02967, 2015. |
[12] | 鲁涛, 陈杰, 史军 . Docker 安全性研究[J]. 计算机技术与发展, 2018,28(6): 115-120. |
LU T , CHEN J , SHI J . Research of Docker security[J]. Computer Technology and Development, 2018,28(6): 115-120. | |
[13] | JAYANTH G , DESIKAN T , TURNER Y . Over 30% of official images in docker hub contain high priority security vulnerabilities[R]. Technical Report. 2015. |
[14] | MANU A R , PATEL J K , AKHTAR S ,et al. A study,analysis and deep dive on cloud PAAS security in terms of Docker container security[C]// 2016 International Conference on Circuit,Power and Computing Technologies (ICCPCT). 2016. |
[15] | SUN Y Q , SAFFORD D , ZOHAR M ,et al. Security namespace:making Linux security frameworks available to containers[C]// Proceedings of the 27th USENIX Conference on Security Symposium (SEC'18). 2018: 1423-1439. |
[16] | BENEDICTIS M D , LIOY A . Integrity verification of Docker containers for a lightweight cloud environment[J]. Future Generation Computer Systems, 2019,97(8): 236-246. |
[17] | HOSSEINZADEH S , LAURéN S ,, LEPPNEN V . Security in container-based virtualization through vTPM[C]// IEEE/ACM International Conference on Utility & Cloud Computing. 2017. |
[18] | GUO Y , YU A , GONG X ,et al. Building trust in container environment[C]// 2019 18th IEEE International Conference on Trust,Security and Privacy in Computing and Communications/13th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE). 2019. |
[19] | 王鹃, 胡威, 张雨菡 ,等. 基于Docker的可信容器[J]. 武汉大学学报(理学版), 2017,63(2): 102-108. |
WANG J , HU W , ZHANG Y H ,et al. Trusted container based on Docker[J]. Journal of Wuhan University (Natural Science Edition), 2017,63(2): 102-108. | |
[20] | XIE X L , YUAN T W , ZHOU X ,et al. Research on trust model in container-based cloud service[J]. CMC:Computers,Materials &Continua, 2018,56(2). |
[21] | 冯登国, 秦宇, 汪丹 ,等. 可信计算技术研究[J]. 计算机研究与发展, 2011,48(8): 1332-1349. |
FENG D G , QIN Y , WANG D ,et al. Research on trusted computing technology[J]. Journal of Computer Research and Development, 2011,48(8): 1332-1349. | |
[22] | SHEN C X , ZHANG H G , WANG H M ,et al. Research on trusted computing and its development[J]. Science China Information Sciences, 2010,53(3): 405-433. |
[23] | 张焕国, 罗捷, 金刚 ,等. 可信计算研究进展[J]. 武汉大学学报(理学版), 2006(5): 513-518. |
ZHANG H G , LUO J , JIN G ,et al. Development of trusted computing research[J]. Wuhan University Journal of Natural Sciences, 2006(5): 513-518. | |
[24] | FENG D G , QIN Y , FENG W ,et al. The theory and practice in the evolution of trusted computing[J]. Chinese Science Bulletin, 2014,59(32): 4173-4189. |
[25] | 郭颖, 毛军捷, 张翀斌 ,等. 基于可信平台控制模块的主动度量方法[J]. 清华大学学报(自然科学版), 2012,52(10): 1465-1473. |
GUO Y , MAO J J , ZHANG C B ,et al. Active measures base on a trusted platform control module[J]. Journal of Tsinghua University (Sci and Tech), 2012,52(10): 1465-1473. | |
[26] | 中国国家标准化委员会. 信息安全技术可信计算规范可信平台控制模块[S]. 征求意见稿, 2019. |
National Information Security Standardization Technical Committee. Information security technology-trusted computing specification-motherboard function and interface of trusted platform[S]. Draft for Comments, 2019. | |
[27] | 沈昌祥 . 用主动免疫可信计算 3.0 筑牢网络安全防线营造清朗的网络空间[J]. 信息安全研究, 2018,4(4): 282-302. |
SHEN C X . To create a positive cyberspace by safeguarding network security with active immune trusted computing 3.0[J]. Journal of Information Security Research, 2018,4(14): 282-302. | |
[28] | GB/T 37935-2019. 信息安全技术 可信计算规范 可信软件基[S]. 2020. |
GB/T 37935-2019. Information security technology-Trusted computing specification-Trust software base[S]. 2020. | |
[29] | 沈昌祥, 张大伟, 刘吉强 ,等. 可信3.0战略:可信计算的革命性演变[J]. 中国工程科学, 2016,18(6): 53-57. |
SHEN C X , ZHANG D W , LIU J Q ,et al. The strategy of TC 3.0:a revolutionary evolution in trusted computing[J]. Strategic Study of Chinese Academy of Engineering, 2016,18(6): 53-57. | |
[30] | 田俊峰, 常方舒 . 基于 TPM 联盟的可信云平台管理模型[J]. 通信学报, 2016,37(2): 1-10. |
TIAN J F , CHANG F S . Trusted cloud platform management model based on TPM alliance[J]. Journal on Communications, 2016,37(2): 1-10. | |
[31] | 刘国杰, 张建标 . 基于 TPCM 的服务器可信 PXE 启动方法[J]. 网络与信息安全学报, 2020,6(6): 105-111. |
LIU G J , ZHANG J B . TPCM-based trusted PXE boot method for servers[J]. Chinese Journal of Network and Information Security, 2020,6(6): 105-111. | |
[32] | BERGER S , CáCERES R ,, GOLDMAN K A ,et al. vTPM:virtualizing the trusted platform module[J]. Usenix Security, 2006,15: 305-320. |
[33] | 田健生, 詹静 . 基于 TPCM 的主动动态度量机制的研究与实现[J]. 信息网络安全, 2016,16(6): 22-27. |
TIAN J S , ZHAN J . Research and implementation of active dynamic measurement based on TPCM[J]. Netinfo Security, 2016,16(6): 22-27. | |
[34] | 黄坚会, 石文昌 . 基于ATX主板的TPCM主动度量及电源控制设计[J]. 信息网络安全, 2016,16(11): 1-5. |
HUANG J H , SHI W C . The TPCM active measurement and power control design for ATX motherboard[J]. Netinfo Security, 2016,16(11): 1-5. | |
[35] | 黄坚会, 沈昌祥 . TPCM主动防御可信服务器平台设计[J]. 郑州大学学报(理学版), 2019,51(3): 1-6. |
HUANG J H , SHEN C X . Trusted platform design of server with TPCM active defense[J]. Journal of Zhengzhou University (Natural Science Edition) (2019), 2019,51(3): 1-6. | |
[36] | IBM's software TPM 2[EB]. |
[37] | EDK Ⅱ project[EB]. |
[38] | Docker[EB]. |
[39] | Kubernetes[EB]. |
[1] | Bo ZHAO, Anqi YUAN, Yang AN. Application progress of SGX in trusted computing area [J]. Chinese Journal of Network and Information Security, 2021, 7(6): 126-142. |
[2] | Guojie LIU,Jianbiao ZHANG. TPCM-based trusted PXE boot method for servers [J]. Chinese Journal of Network and Information Security, 2020, 6(6): 105-111. |
[3] | Bo ZHAO, Xiang LI, Fei YAN, Liqiang ZHANG, Huanguo ZHANG. Trusted platform for third-party cloud computing online evaluation and analysis technology [J]. Chinese Journal of Network and Information Security, 2019, 5(5): 90-104. |
[4] | Jiyang LI,Pengyuan ZHAO,Zhe LIU. Trusted access scheme for intranet mobile terminal based on encrypted SD card [J]. Chinese Journal of Network and Information Security, 2019, 5(4): 108-118. |
[5] | Xiao YU,Li TIAN,Zhe LIU,Jie WANG. Research on key management and authentication protocol of PDA in smart grid [J]. Chinese Journal of Network and Information Security, 2018, 4(3): 68-75. |
[6] | Wei WANG, Xingshu CHEN, Xiao LAN, Xin JIN. VMI-based virtual machine remote attestation scheme [J]. Chinese Journal of Network and Information Security, 2018, 4(12): 32-43. |
[7] | Jianbiao ZHANG,Yuanxi ZHU,Jun HU,Xiao WANG. Scheme of virtual machine trusted migration in cloud environment [J]. Chinese Journal of Network and Information Security, 2018, 4(1): 6-14. |
[8] | Jun XU. Trusted computing mobile terminal application research based on biometric trusted access protocol [J]. Chinese Journal of Network and Information Security, 2017, 3(2): 66-76. |
[9] | Zhao-chang SUN,Jian-feng MA,Cong SUN,Di LU. Approach on runtime monitoring based on the embedded trusted platforms [J]. Chinese Journal of Network and Information Security, 2017, 3(10): 44-51. |
[10] | Kai WANG,Zhi-hua LI,Fan, HUANG,Fei1 YAN. HyperSpector:VMM dynamic trusted monitor based on UEFI [J]. Chinese Journal of Network and Information Security, 2016, 2(12): 47-55. |
[11] | Yu-tao LIU,Hai-bo CHEN. Virtualization security:the good,the bad and the ugly [J]. Chinese Journal of Network and Information Security, 2016, 2(10): 17-28. |
[12] | Wei-qi DAI,De-qing ZOU,Hai JIN,Yan XIA. Research on consistency protection mechanism for secure states of virtual domain in cloud environment [J]. Chinese Journal of Network and Information Security, 2016, 2(10): 48-57. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||
|