通信学报 ›› 2019, Vol. 40 ›› Issue (2): 154-163.doi: 10.11959/j.issn.1000-436x.2019035
何欣枫1,2,3,田俊峰1,2,3,刘凡鸣2,3
修回日期:
2019-01-29
出版日期:
2019-02-01
发布日期:
2019-03-04
作者简介:
何欣枫(1976- ),男,天津人,河北大学博士生,主要研究方向为云计算安全、可信计算等。|田俊峰(1965- ),男,河北保定人,博士,河北大学教授、博士生导师,主要研究方向为信息安全、分布式计算等。|刘凡鸣(1990- ),女,河北保定人,河北大学实验师,主要研究方向为大数据处理、云计算安全等。
基金资助:
Xinfeng HE1,2,3,Junfeng TIAN1,2,3,Fanming LIU2,3
Revised:
2019-01-29
Online:
2019-02-01
Published:
2019-03-04
Supported by:
摘要:
云计算安全需求使信息安全技术面临更严峻的挑战,云平台自身的可信性是保证云计算安全的基础,提高用户对云平台的信任度是云计算技术向更深层次领域发展、全面普及和应用的关键。可信云计算技术是解决上述问题的一个有效手段。从保障云计算平台可信的角度出发,通过介绍可信虚拟化、可信云平台构建及可信虚拟机等相关技术的研究进展,分析并对比了典型方案的特点、适用范围及其在可信云计算领域的不同效用,讨论已有工作的局限性,进而指出未来发展趋势和后续研究方向。
中图分类号:
何欣枫,田俊峰,刘凡鸣. 可信云平台技术综述[J]. 通信学报, 2019, 40(2): 154-163.
Xinfeng HE,Junfeng TIAN,Fanming LIU. Survey on trusted cloud platform technology[J]. Journal on Communications, 2019, 40(2): 154-163.
[1] | 林闯, 苏文博, 孟坤 ,等. 云计算安全:架构、机制与模型评价[J]. 计算机学报, 2013,36(9): 1765-1784. |
LIN C , SU W B , MENG K ,et al. Cloud computing security:architecture,mechanism and modeling[J]. Chinese Journal of Computers, 2013,36(9): 1765-1784. | |
[2] | 冯登国, 张敏, 张妍 ,等. 云计算安全研究[J]. 软件学报, 2011,22(1): 71-83. |
FENG D G , ZHANG M , ZHANG Y ,et al. Study on cloud computing security[J]. Journal of Software, 2011,22(1): 71-83. | |
[3] | ALANI M M . Securing the cloud:threats,attacks and mitigation techniques[J]. Journal of Advanced Computer Science & Technology, 2014,3(2):202. |
[4] | 张玉清, 王晓菲, 刘雪峰 ,等. 云计算环境安全综述[J]. 软件学报, 2016,27(6): 1328-1348. |
ZHANG Y Q , WANG X F , LIU X F ,et al. Survey on cloud computing security[J]. Journal of Software, 2016,27(6): 1328-1348. | |
[5] | 沈昌祥 . 用可信计算构筑云计算安全[J]. 中国经贸导刊, 2017,(16): 56-57. |
SHENG C X . Constructing cloud security with trusted compu-ting[J]. China Economic & Trade Herald, 2017(16): 56-57. | |
[6] | 丁滟, 王怀民, 史佩昌 ,等. 可信云服务[J]. 计算机学报, 2015,38(1): 133-149. |
DING Y , WANG H M , SHI P C ,et al. Trusted cloud service[J]. Chi-nese Journal of Computers, 2015,38(1): 133-149. | |
[7] | BERGER S , CERES R , GOLDMAN K A ,et al. vTPM:virtualizing the trusted platform module[C]// Conference on Usenix Security Symposium. USENIX Association, 2006:21. |
[8] | STEFAN B , RAMóN C , KENNETH A G ,et al. vTPM:virtualizing the trusted platform module[J]. Usenix Security, 2007,15: 305-320. |
[9] | BERGER S , GOLDMAN K , PENDARAKIS D ,et al. Scalable attestation:a step toward secure and trusted clouds[C]// IEEE International Conference on Cloud Engineering. IEEE, 2015: 185-194. |
[10] | 沈昌祥, 张焕国, 王怀民 ,等. 可信计算的研究与发展[J]. 中国科学:信息科学, 2010(2): 139-166. |
SHEN C X , ZHANG H G , WANG H M ,et al. The research & devel-opment of trusted computing[J]. Science China Information Sciences, 2010(2): 139-166. | |
[11] | 王冠, 袁华浩 . 基于可信根服务器的虚拟 TCM 密钥管理功能研究[J]. 信息网络安全, 2016(4): 17-22. |
WANG G , YUAN H H . Research of virtual trusted cryptography mod-ule’s secret key management based on the trusted root server[J]. Netinfo Security, 2016(4): 17-22. | |
[12] | 张建标, 赵子枭, 胡俊 ,等. 云环境下可重构虚拟可信根的设计框架[J]. 信息网络安全, 2018(1): 1-8. |
ZHANG J B , ZHAO Z X , HU J ,et al. The design framework of re-configurable virtual root of trust in cloud environment[J]. Netinfo Se-curity, 2018(1): 1-8. | |
[13] | 杨永娇, 严飞, 毛军鹏 ,等. Ng-vTPM:新一代TPM虚拟化框架设计[J]. 武汉大学学报(理学版), 2015,61(2): 103-111. |
YANG Y J , YAN F , MAO J P ,et al. Ng-vTPM:a next generation vir-tualized TPM architecture[J]. Journal of Wuhan University(Natural Science Edition), 2015,61(2): 103-111. | |
[14] | 沈昌祥, 公备 . 基于国产密码体系的可信计算体系框架[J]. 密码学报, 2015(5): 381-389. |
SHEN C X , GONG B . The innovation of trusted computing based on the domestic cryptography[J]. Journal of Cryptologic Research, 2015(5): 381-389. | |
[15] | 黄坚会, 沈昌祥, 谢文录 . TPCM三阶三路安全可信平台防护架构[J]. 武汉大学学报(理学版), 2018(2): 109-114. |
HUANG J H , SHEN C X , XIE W L . The TPCM 3P3C defense architecture of safety and trusted platform[J]. Journal of Wuhan University(Natural Science Edition), 2018(2): 109-114. | |
[16] | GARFINKEL T , PFAFF B , CHOW J ,et al. Terra:a virtual machine-based platform for trusted computing[C]// ACM Symposium on Operating Systems Principles. 2003: 193-206. |
[17] | SCHUSTER F , COSTA M , FOURNET C ,et al. VC3:trustworthy data analytics in the cloud using SGX[C]// IEEE Symposium on Security and Privacy. 2015: 38-54. |
[18] | JAIN P , DESAI S , KIM S ,et al. OpenSGX:an open platform for SGX research[C]// The Network and Distributed System Security Symposium. 2016. |
[19] | 杨波, 冯登国, 秦宇 ,等. 基于 TrustZone 的可信移动终端云服务安全接入方案[J]. 软件学报, 2016,27(6): 1366-1383. |
YANG B , FENG D G , QIN Y ,et al. Secure access scheme of cloud services for trusted mobile terminals using TrustZone[J]. Journal of Software, 2016,27(6): 1366-1383. | |
[20] | SANTOS N , . Using ARM TrustZone to build a trusted language runtime for mobile applications[C]// International Conference on Arohitectural Support for Programming Languages & Operating Systems. 2016: 67-80. |
[21] | 王丽娜, 高汉军, 余荣威 ,等. 基于信任扩展的可信虚拟执行环境构建方法研究[J]. 通信学报, 2011,32(9): 1-8. |
WANG L N , GAO H J , YU R W ,et al. Research of constructing trust-ed virtual execution environment based on trust extension[J]. Journal on Communications, 2011,32(9): 1-8. | |
[22] | 刘川意, 林杰, 唐博 . 面向云计算模式的运行环境可信性动态验证机制[J]. 软件学报, 2013,24(1): 1240-1252. |
LIU C Y , LIN J , TANG B.A dynamic trustworthiness verification mechanism for trusted cloud execution environment . [J]. Journal of Software, 2013,24(1): 1240-1252 | |
[23] | 刘川意, 王国峰, 林杰 ,等. 可信的云计算运行环境构建和审计[J]. 计算机学报, 2016,39(2): 339-350. |
LIU C Y , WANG G F , LIN J ,et al. Practical construction and audit for trusted cloud execution environment[J]. Chinese Journal of Computers, 2016,39(2): 339-350. | |
[24] | LI X Y , ZHOU L T , SHI Y ,et al. A trusted computing environment model in cloud architecture[C]// International Conference on Machine Learning and Cybernetics. 2010: 2843-2848. |
[25] | WANG J , ZHAO B , ZHANG H ,et al. POSTER:an E2E trusted cloud infrastructure[C]// The ACM SIGSAC Conference on Computer and Communications Security. 2014: 1517-1519. |
[26] | SANTOS N , GUMMADI K P , RODRIGUES R . Towards trusted cloud computing[C]// Conference on Hot Topics in Cloud Computing. USENIX Association, 2009:3. |
[27] | SANTOS N , RODRIGUES R , GUMMADI K P ,et al. Policy-sealed data:a new abstraction for building trusted cloud services[C]// USENIX Conference on Security Symposium, 2012: 1-14. |
[28] | 田俊峰, 常方舒 . 基于 TPM 联盟的可信云平台管理模型[J]. 通信学报, 2016,37(2): 1-10. |
TIAN J F , CHANG F S . Trusted cloud platform management model based on TPM alliance[J]. Journal on Communications, 2016,37(2): 1-10. | |
[29] | CHEN C , RAJ H , SAROIU S ,et al. cTPM:a cloud TPM for cross-device trusted applications[C]// The USENIX Conference on Networked Systems Design and Implementation. 2014: 187-201. |
[30] | SAYLER A , KELLER E , GRUNWALD D . Jobber:automating inter-tenant trust in the cloud[C]// Workshop on Hot Topics in Cloud Computing. 2013: 1-6. |
[31] | 石勇, 郭煜, 刘吉强 ,等. 一种透明的可信云租户隔离机制研究[J]. 软件学报, 2016,27(6): 1538-1548. |
SHI Y , GUO Y , LIU J Q ,et al. Trusted cloud tenant separation mecha-nism supporting transparency[J]. Journal of Software, 2016,27(6): 1538-1548. | |
[32] | 王佳慧, 刘川意, 王国峰 ,等. 基于可验证计算的可信云计算研究[J]. 计算机学报, 2016,39(2): 286-304. |
WANG J H , LIU C Y , WANG G F ,et al. Review of trusted cloud computing based on proof-based verifiable computation[J]. Chinese Journal of Computers, 2016,39(2): 286-304. | |
[33] | 项国富, 金海, 邹德清 ,等. 基于虚拟化的安全监控[J]. 软件学报, 2012,23(8): 2173-2187. |
XIANG G F , JIN H , ZOU D Q ,et al. Virtualization-based security monitoring[J]. Journal of Software, 2012,23(8): 2173-2187. | |
[34] | GARFINKEL T . A virtual machine introspection based architecture for intrusion detection[J]. Proc.network & Distributed Systems Security Symp, 2003: 191-206. |
[35] | PAYNE B D . Simplifying virtual machine introspection using LibVMI[J]. Office of Scientific & Technical Information Technical Reports, 2012: 1-20. |
[36] | 李保珲, 徐克付, 张鹏 ,等. 虚拟机自省技术研究与应用进展[J]. 软件学报, 2016,27(6): 1384-1401. |
LI B H , XU K F , ZHANG P ,et al. Research and application progress of virtual machine introspection technology[J]. Journal of Software, 2016,27(6): 1384-1401. | |
[37] | SCHIFFMAN J , VIJAYAKUMAR H , JAEGER T . Verifying system integrity by proxy[M]. Berlin: SpringerPress, 2012: 179-200. |
[38] | ZHANG T , LEE R B . CloudMonatt:an architecture for security health monitoring and attestation of virtual machines in cloud computing[C]// International Symposium on Computer Architecture. 2015: 362-374. |
[39] | ZHANG T , LEE R B . Monitoring and attestation of virtual machine security health in cloud computing[J]. IEEE Micro, 2016,36(5): 28-37. |
[40] | XIANG G , JIN H , ZOU D ,et al. VMDriver:a driver-based monitoring mechanism for virtualization[C]// Reliable Distributed Systems. 2010: 72-81. |
[41] | JIA L , ZHU M , TU B . T-VMI:trusted virtual machine introspection in cloud environments[C]// International Symposium on Cluster,Cloud and Grid Computing. 2017: 478-487. |
[42] | 王庆飞, 严飞, 王鹃 ,等. IaaS 下虚拟机的安全存储和可信启动[J]. 武汉大学学报(理学版), 2014,60(3): 231-236. |
WANG Q F , YAN F , WANG J ,et al. Secure storage and trusted launch of virtual machine in IaaS[J]. Journal of Wuhan University(Natural Science Edition), 2014,60(3): 231-236. | |
[43] | PALADI N , GEHRMANN C , ASLAM M ,et al. Trusted launch of virtual machine instances in public IaaS environments[M]. Berlin:Springer. 2013. |
[44] | ZHANG Y , JUELS A , OPREA A ,et al. HomeAlone:co-residency detection in the cloud via side-channel analysis[C]// Security and Privacy. 2011: 313-328. |
[45] | EZHILCHELVAN P , MITRANI I . Evaluating the probability of malicious co-residency in public clouds[J]. IEEE Transactions on Cloud Computing, 2017,5(3): 420-427. |
[46] | SMYTH B , RYAN M , CHEN L . Direct anonymous attestation (DAA):ensuring privacy with corrupt administrators[C]// European Conference on Security and Privacy in Ad-Hoc and Sensor Networks. 2007: 218-231. |
[47] | 杨力, 张俊伟, 马建峰 ,等. 改进的移动计算平台直接匿名证明方案[J]. 通信学报, 2013,34(6): 69-75. |
YANG L , ZHANG J W , MA J F ,et al. Improved direct anonymous at-testation scheme for mobile computing platform[J]. Journal on Com-munications, 2013,34(6): 69-75. | |
[48] | 周彦伟, 杨波, 吴振强 ,等. 基于身份的跨域直接匿名认证机制[J]. 中国科学:信息科学, 2014,44(9): 1102-1120. |
ZHOU Y W , YANG B , WU Z Q ,et al. Direct anonymous authentica-tion scheme in cross-domain based on identity[J]. Science China In-formation Sciences, 2014,44(9): 1102-1120. | |
[49] | 张严, 冯登国, 于爱民 . 云计算环境虚拟机匿名身份证明方案[J]. 软件学报, 2013,24(12): 2897-2908. |
ZHANG Y , FENG D G , YU A M . Virtual machine anonymous attesta-tion in cloud computing[J]. Journal of Software, 2013,24(12): 2897-2908. | |
[50] | 王中华, 韩臻, 刘吉强 ,等. 云环境下基于PTPM和无证书公钥的身份认证方案[J]. 软件学报, 2016,27(6): 1523-1537. |
WANG Z H , HAN Z , LIU J Q ,et al. ID authentication scheme based on PTPM and certificateless public key cryptography in cloud envi-ronment[J]. Journal of Software, 2016,27(6): 1523-1537. | |
[51] | 于爱民, 冯登国, 汪丹 . 基于属性的远程证明模型[J]. 通信学报, 2010,31(8): 1-8. |
YU A M , FENG D G , WANG D . Property-based remote attestation model[J]. Journal on Communications, 2010,31(8): 1-8. | |
[52] | 冯登国, 秦宇 . 一种基于 TCM 的属性证明协议[J]. 中国科学:信息科学, 2010,40(2): 189-199. |
FENG D G , QIN Y . A property attestation protocol based on TCM[J]. Science China Information Sciences, 2010,40(2): 189-199. | |
[53] | NING Z H , JIANG W , ZHAN J ,et al. Property-based anonymous attestation in trusted cloud computing[J]. Journal of Electrical &Computer Engineering, 2014(17): 1-7. |
[54] | AWAD A , KADRY S , LEE B ,et al. Property based attestation for a secure cloud monitoring system[C]// IEEE/ACM International Conference on Utility and Cloud Computing. 2014: 934-940. |
[55] | AHMAD R W , GANI A , HAMID S H A ,et al. A survey on virtual machine migration and server consolidation frameworks for cloud data centers[J]. Journal of Network & Computer Applications, 2015,52(C): 11-25. |
[56] | ZHANG Y , JUELS A , OPREA A ,et al. HomeAlone:co-residency detection in the cloud via side-channel analysis[C]// IEEE Symposium on Security and Privacy. 2011: 313-328. |
[57] | HAN Y , CHAN J , ALPCAN T ,et al. Using virtual machine allocation policies to defend against co-resident attacks in cloud computing[J]. IEEE Transactions on Dependable and Secure Computing, 2017,14(1): 95-108. |
[58] | XU Z , WANG H , WU Z . A measurement study on co-residence threat inside the cloud[C]// The USENIX Conference on Security Symposium. 2015: 1-24. |
[59] | 梁鑫, 桂小林, 戴慧珺 ,等. 云环境中跨虚拟机的 cache 侧信道攻击技术研究[J]. 计算机学报, 2017,40(2): 317-336. |
LIANG X , GUI X L , DAI H J ,et al. Cross-VM cache side channel at-tacks in cloud:a survey[J]. Chinese Journal of Computers, 2017,40(2): 317-336. | |
[60] | DANEV B , MASTI R J , KARAME G O ,et al. Enabling secure VM-vTPM migration in private clouds[C]// The Annual Computer Security Applications Conference. 2011: 187-196. |
[61] | HONG Z , WANG J , ZHANG H G ,et al. A trusted VM-vTPM live migration protocol in clouds[J]. Proceedings of International Work shop on Cloud Computing & Information Security, 2013,52(1391): 299-302. |
[62] | ASLAM M , GEHRMANN C , BJORKMAN M . Security and trust preserving VM migrations in public clouds[C]// The IEEE International Conference on Trust,Security and Privacy in Computing and Communications. 2012: 869-876. |
[63] | CELESTI A , SALICI A , VILLARI M ,et al. A remote attestation approach for a secure virtual machine migration in federated cloud environments[C]// IEEE Symposium on Network Cloud Computing and Applications. 2011: 99-106. |
[64] | HE X , TIAN J . A trusted VM live migration protocol in IaaS[C]// Trusted Computing and Information Security. 2017: 41-52. |
[65] | 范伟, 孔斌, 张珠君 ,等. KVM虚拟化动态迁移技术的安全防护模型[J]. 软件学报, 2016,27(6): 1402-1416. |
FAN W , KONG B , ZHANG Z J ,et al. Security protection model on live migration for KVM virtualization[J]. Journal of Software, 2016,27(6): 1402-1416. | |
[66] | 石源, 张焕国, 吴福生 . 一种可信虚拟机迁移模型构建方法[J]. 计算机研究与发展, 2017,54(10): 2284-2295. |
SHI Y , ZHANG H G , WU F S . A method of constructing the model of trusted virtual machine migration[J]. Journal of Computer Research and Development, 2017,54(10): 2284-2295. |
[1] | 马玲, 樊漆亮, 许婷, 郭冠琛, 张圣林, 孙永谦, 张玉志. 基于强化学习的在线离线混部云环境下的调度框架[J]. 通信学报, 2023, 44(6): 90-102. |
[2] | 王化群, 刘哲, 何德彪, 李继国. 公有云中身份基多源IoT终端数据PDP方案[J]. 通信学报, 2021, 42(7): 52-60. |
[3] | 张键红, 武梦龙, 王晶, 刘沛, 姜正涛, 彭长根. 云环境下安全的可验证多关键词搜索加密方案[J]. 通信学报, 2021, 42(4): 139-149. |
[4] | 李瑞琪, 贾春福, 王雅飞. 基于NTRU的多密钥同态代理重加密方案及其应用[J]. 通信学报, 2021, 42(3): 11-22. |
[5] | 张嘉伟, 马建峰, 马卓, 李腾. 云计算中基于时间和隐私保护的可撤销可追踪的数据共享方案[J]. 通信学报, 2021, 42(10): 81-94. |
[6] | 王文娟, 杜学绘, 单棣斌. 基于动态概率攻击图的云环境攻击场景构建方法[J]. 通信学报, 2021, 42(1): 1-17. |
[7] | 田有亮,骆琴. 基于改进Merkle-Tree认证方法的可验证多关键词搜索方案[J]. 通信学报, 2020, 41(9): 118-129. |
[8] | 王娜,郑坤,付俊松,李剑. 基于分块的移动边缘计算密文检索方法[J]. 通信学报, 2020, 41(7): 95-102. |
[9] | 赵临东,庄文芹,陈建新,周亮. 异构蜂窝网络中分层任务卸载:建模与优化[J]. 通信学报, 2020, 41(4): 34-44. |
[10] | 梁冰,纪雯. 基于次模优化的边云协同多用户计算任务迁移方法[J]. 通信学报, 2020, 41(10): 25-36. |
[11] | 苏命峰,王国军,李仁发. 基于利益相关视角的多维QoS云资源调度方法[J]. 通信学报, 2019, 40(6): 102-115. |
[12] | 陈兴蜀,滑强,王毅桐,葛龙,朱毅. 云环境下SDN网络低速率DDoS攻击的研究[J]. 通信学报, 2019, 40(6): 210-222. |
[13] | 王万良, 臧泽林, 陈国棋, 屠杭垚, 王宇乐, 陆琳彦. 大规模云计算服务器优化调度问题的最优二元交换算法研究[J]. 通信学报, 2019, 40(5): 180-191. |
[14] | 王田,沈雪微,罗皓,陈柏生,王国军,贾维嘉. 基于雾计算的可信传感云研究进展[J]. 通信学报, 2019, 40(3): 170-181. |
[15] | 朱智强,林韧昊,胡翠云. 基于数字证书的openstack身份认证协议[J]. 通信学报, 2019, 40(2): 188-196. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|