一种面向云平台的虚拟机内存SLA审计机制

doi:10.3969/j.issn.1000-0801.2013.06.012

摘要/Abstract

摘要：

针对云计算的服务模式屏蔽了云租户的物理硬件视图，不可信的云服务提供商（cloud service provider, CSP）可能利用廉价的硬盘资源通过虚拟化技术，违背服务等级协议约定（service level agreement,SLA）按物理内存定价标准为云租户提供服务这一问题，为了审计CSP提供内存服务的SLA合约性，提出了由Xen层到物理硬件层的内存轻量级测量的SLA合约性审计方案。同时引入可信启动机制和HyperSentry用于保证审计系统的可信启动和完整性运行，提出了带云租户签名机制的Diffie-Hellman密钥交换协议支持策略安全和可信告警。实验结果表明，在虚拟机运行环境下该方法能高效地进行内存SLA合约性审计，同时具有较高的云租户自定义策略扩展性和较低的性能开销。

关键词: 云计算, 内存SLA, 审计, 虚拟化, Xen

Abstract:

Cloud service style has shield physical hardware view to cloud tenant, thus untrusted CSP（cloud service provider）may replace expensive physical memory by cheaper hard disk resource, which violates the SLA. Therefore, in order to audit memory SLA of cloud, a novel scheme for auditing physical memory of VM was proposed. This scheme is based on light-weight memory measurement SLA auditing by Xen layer to physical layer. Meanwhile, trust boot mechanism and HyperSentry module to ensure trust boot and integrity guarantee at running time were introduced. Then, digital signatures-based Diffie-Hellman key exchange protocol was also proposed to support strategy security exchange and trust alarm. The experimental results indicate that the proposed module can effectively audit VM memory SLA,and also support strong expansibility of cloud tenant customize strategy with low overhead.

Key words: cloud computing, memory SLA, audit, virtualization, Xen

李攀攀,张宏莉,邓会敏,周志刚. 一种面向云平台的虚拟机内存SLA审计机制[J]. 电信科学, 2013, 29(6): 72-81.

Panpan Li,Hongli Zhang,Huimin Deng,Zhigang Zhou. SLA Audit Mechanism of Virtual Machine Memory on Cloud[J]. Telecommunications Science, 2013, 29(6): 72-81.

图/表 9

图1

图2

图3

图4

图5

图6

图7

表1

图8

参考文献 20

1	Ristenpart T , Tromer E , Shacham H , et al. Finance: status, innovations, resources and future challenges[J]. Managerial Finance, 2008 (6): 365-398.
2	Amazon relational database service （Amazon RDS）. , 2012
3	Xen,the powerful open source industry standard for virtualization . , 2012
4	Azab A M , Ning P , Wang Z , et al. HyperSentry: enabling stealthy incontext measurement of hypervisor integrity. Proceedings of the 17th ACM Conference on Computer and Communications Security, Chicago, USA, 2010: 38～49
5	Zhang Y , Juels A , Oprea A , et al. Home alonecoresidency detection in the cloud via sidechannel analysis. Proceedings of the 23nd IEEE Symposium on Security and Privacy, Oakland, USA, 2011: 313～328
6	Ye L , Zhang H , Shi J , et al. Verify cloud service level agreement. Proceedings of IEEE Global Communications Conference, Anaheim, USA, 2012: 777～782
7	Wang X , Zang J , Wang Z , et al. Selective hardware/software memory virtualization. Proceedings of the 7th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, Newport Beach, USA, 2011: 217～226
	Zhu J , Jiang Z , Xiao Z , et al. Optimizing the performance of virtual machine synchronization for fault tolerance. IEEE Transactions on Computers, 2011,60(12): 1718～1729
9	Szefer J , Lee R B . Architectural support for hypervisorsecure virtualization. Proceedings of the 17th International Conference on Architectural Support for Programming Languages and Operating Systems, London, UK, 2012: 437～450
10	Payne B D , Carbone M D P , Lee W . Secure and flexible monitoring of virtual machines. Proceedings of the 23rd Annual Computer Security Applications Conference, Miami Beach, USA, 2007: 385～397
11	Tian H , Zhan Y , Wang Y M . Analysis of host authentication mechanism in current POD copy protection system. IEEE Transactions on Consumer Electronics, 2005,51(3): 922～924
12	Liu L , Chu R , Zhu Y , et al. DMSS: a dynamic memory scheduling system in server consolidation environments. Proceedings of the 15th IEEE International Symposium on Object/Component/ServiceOriented RealTime Distributed Computing Workshops, Shenzhen, China, 2012: 70～75
13	Baker Z K , Prasanna V K . A computationally efficient engine for flexible intrusion detection. IEEE Transactions on Very Large Scale Integration Systems, 2005,13(10): 1179～1189
14	Heo J , Zhu X , Padala P , et al. Memory overbooking and dynamic control of xen virtual machines in consolidated environments. Proceedings of 11th IFIP/IEEE International Symposium on Integrated Network Management, New York, USA, 2009: 630～637
15	Long N , Colin B , Nieto G , et al. Automated proofs for diffiehellmanbased key exchanges. Proceedings of the 24th IEEE Computer Security Foundations Symposium, France, 2011: 51～65
16	HPLA portable implementation of the highperformance linpack benchmark for distributedmemory computers. , 2012
17	Kistler M , Gunnels J , Brokenshire D , et al. Programming the linpack benchmark for roadrunner. IBM Journal of Research and Development, 2009,53(5): 1～11.
18	SPEC CPU2000. , 2012
19	Wang M , Wu X , Zhang W , et al. A conceptual platform of SLA in cloud computing. Proceedings of the IEEE 9th International Conference on Dependable, Autonomic and Secure Computing, Sydney, Australia, 2011: 1131～1135
20	Wang Z , Tang X , Luo X . Policybased SLAaware cloud service provision framework. Proceedings of 7th International Conference on Semantics Knowledge and Grid, Beijing, China, 2011: 114～121

测试用例	命令
asctime	asctime-1000.sh
文件解压（bz2）	tar zxf linux-source.tar.bz2
文件压缩（gz）	tar zcf linux-source-dir
本地文件复制	cp-r linux-source-dir target directory
远程文件复制	scp-r linux-source-dir target directory
Telnet	telnet remote host

[1]	韩雪. 基于电力大数据的电力骨干通信网络毁伤韧性评估方法[J]. 电信科学, 2023, 39(5): 136-143.
[2]	唐鑫新, 曾学文, 凌致远, 宋磊. 可编程数据平面技术综述[J]. 电信科学, 2023, 39(4): 1-16.
[3]	邬江兴. 论网络技术体制发展范式的变革——网络之网络[J]. 电信科学, 2022, 38(6): 3-12.
[4]	邢文娟, 雷波, 赵倩颖. 算力基础设施发展现状与趋势展望[J]. 电信科学, 2022, 38(6): 51-61.
[5]	邓平科, 张同须, 施南翔, 张童, 邵天竺, 郑韶雯. 星算网络——空天地一体化算力融合网络新发展[J]. 电信科学, 2022, 38(6): 71-81.
[6]	乔稳, 王晓征, 孙震强, 任赣, 刘云新, 杨爱东, 王鹏, 王达, 叶晓舟, 欧阳晔. 下一代电信IT架构演进初探：业务功能虚拟化（BFV）[J]. 电信科学, 2022, 38(6): 143-155.
[7]	马焜, 徐玲玉, 沈晓萍, 龚志城, 蓝建平, 陈双喜, 钱钧. 云计算中基于Shapley值改进遗传算法的虚拟机调度模型[J]. 电信科学, 2022, 38(12): 1-10.
[8]	吴晓春, 洪晨, 张岳, 张俊楠, 周静静. 基于微服务架构的粒度可变服务功能链映射算法[J]. 电信科学, 2022, 38(12): 11-26.
[9]	张岳, 张俊楠, 吴晓春, 洪晨, 周静静. 基于改进灰狼优化算法的服务功能链映射算法[J]. 电信科学, 2022, 38(11): 57-72.
[10]	张学智, 赵婧博, 赵慧杰. 5G行业无线专网技术与业务需求模型[J]. 电信科学, 2021, 37(8): 96-104.
[11]	刘志勇, 何忠江, 阮宜龙, 单俊峰, 张超. 大数据安全特征与运营实践[J]. 电信科学, 2021, 37(5): 160-169.
[12]	全硕, 王旭亮, 朱泽亚. 5G+时代的软件定义安全技术架构研究与实践[J]. 电信科学, 2021, 37(12): 60-71.
[13]	谢景昭, 单炜, 肖畅, 马铁, 陈力, 虞红芳, 孙罡. Klonet：面向技术创新的网络模拟实验平台[J]. 电信科学, 2021, 37(10): 66-75.
[14]	侯慧芳,李雪芳,潘洁,丁志刚. 5G承载网数据采集和安全管控演进思路[J]. 电信科学, 2020, 36(9): 154-159.
[15]	雷波,王江龙,赵倩颖,余勇志,杨明川. 基于计算、存储、传送资源融合化的新型网络虚拟化架构[J]. 电信科学, 2020, 36(7): 42-54.