云计算环境下可信虚拟机管理模型

doi:10.3969/j.issn.1000-436x.2014.z2.013

Abstract

Abstract:

For virtual machine in cloud computing,the authorization of manager domain is too centralized to be secure,and the strategies of tenants can be easily falsified.In view of the two problems,a trusted virtual machine management Model for cloud computing infrastructure is proposed.The model provides fine grained manager domain of virtual machine in which both managers and tenants are strictly constrained when they operate on other tenant domains.The sensitive code and data in tenant virtual machine cannot be accessed or falsified without permission.The model creates a trustable tunnel between tenant and system domain,and distributes tenant strategies using the tunnel in a secure way.Security analysis and experimental results show the model ensures the security of tenant data and tenant strategies effectively.

Key words: cloud computing, trusted computing, virtual machine management

Zhen-ji ZHOU,Li-fa WU,Zheng HONG,Hai-guang LAI,Cheng-hui ZHENG. Trusted virtual machine management model for cloud computing[J]. Journal on Communications, 2014, 35(Z2): 94-105.

Figures/Tables 12

References 22

[1]	冯登国, 张敏, 张妍 ,等. 云计算安全研究[J]. 软件学报, 2011,22(1): 71-83. FENG D G , ZHANG M , ZHANG Y ,et al. Study on cloud computing security[J]. Journal of Software, 2011,22(1): 71-83.
[2]	黄瑛, 石文昌 . 云基础设施安全性研究综述[J]. 计算机科学, 2011,38(7): 24-30. HUANG Y , SHI W C . Survey of research on cloud infrastructure security[J]. Computer Science, 2011,38(7): 24-30.
[3]	SANTOS N , GUMMADI K P , RODRIGUES R . Towards trusted cloud computing[A]. Proc of the Workshop on Hot Topics in Cloud Computing[C]. 2009.
[4]	Architecture for Managing Clouds[EB/OL]. .
[5]	ABBADI I , RUAN A . Towards trustworthy resouce scheduling in clouds[J]. Information Forensics and Security,IEEE Transactions on, 2013,8(6): 973-984.
[6]	JOSHUA S , THOMAS M , HAYAWARDH V ,et al. Seeding Clouds with Trust Anchors[R]. Network and Security Research Center, 2010.
[7]	Trusted Computing Group-TCG Architecture Overview,Version 1.4[EB/OL]. .
[8]	GARFINKEL T , PFAFF B , CHOW J ,et al. Terra:a virtual machine-based platform for trusted computing[J]. ACM SIGOPS Operating Systems Review, 2003,37(5): 193-206.
[9]	怀进鹏, 李沁, 胡春明 . 基于虚拟机的虚拟计算环境研究与设计[J]. 软件学报, 2007,18(8): 2016-2026. HUAI J P , LI Q , HU C M . Research and design on hypervisor based virtual computing enviroment[J]. Journal of Software, 2007,18(8): 2016-2026.
[10]	BERGER S , CACERES R , PENDARAKIS D E ,et al. TVDc:managing security in the trusted virtual datacenter[J]. Operating Systems Review, 2008,42(1): 40-47.
[11]	KELLER E , SZEFER J , REXFORD J ,et al. NoHype:virtualized cloud infrastructure without the virtualization[A]. Proc of the 37th Annual International Symposium on Computer Architecture[C]. 2010.
[12]	VMware GSX server[EB/OL]. .
[13]	GRIFFIN J , JAEGER T , PEREZ R ,et al. Trusted virtual domains:toward secure distributed services[A]. Proc of the First Workshop on Hot Topics in Systems Dependability[C]. 2005.
[14]	BUSSANI A , GRIFFIN J , JANSEN B ,et al. Trusted Virtual Domains:Secure Foundations for Business and It Services[R]. IBM Research, 2005.
[15]	ABADI M , TUTTLE M R . A semantics for a logic of authentication[A]. Proc of the Tenth Annual ACM Symposium on Principles of Distributed Computing[C]. 1991.
[16]	BARHAM P , DRAGOVIC B , FRASER K ,et al. Xen and the art of virtualization[A]. Proc of the Nineteenth ACM Symposium on Operating Systems Principles, 2003.
[17]	ZHOU Z J , WU L F , HONG Z . Context-aware access control model for cloud computing[J]. Journal of Grid and Distributed Computing, 2013,6(6): 1-12.
[18]	ZHOU Z J , WU L F , HONG Z ,et al. DTSTM:dynamic tree style trust measurement model for cloud computing[J]. KSII Transactions on Internet and Information Systems, 2014,8(1): 305-325.
[19]	Openstack open source cloud computing software[EB/OL]. .
[20]	KAUFMAN L M . Can public cloud security meet its unique challenges[J]. IEEE Security and Privacy, 2010,8(4): 55-57.
[21]	Dm-crypt:a device-mapper crypto target[EB/OL]. .
[22]	Help protect your files using Bitlocker drive encryption[EB/OL]. .

Metrics

Recommended 0

No Suggested Reading articles found!

特权	说明
虚拟机管理 (B)	创建、启动、停止和销毁虚拟机
虚拟机控制 (C)	挂起、恢复、调度和迁移虚拟机
虚拟机通信 (I)	设置事件通道和虚拟I/O共享内存
虚拟机内省 (P)	映射虚拟机内存和虚拟CPU寄存器
状态查询 (R)	查询虚拟机状态信息和主机的物理参数
主机配置 (L)	配置物理主机中断控制器和编程时钟源

管理域	Hardware	S-Dom	A-Dom	G-Dom	U-Dom0	U-DomU
S-Dom	L,R	—	B,I,P,R	B,I,P,R	B,I,P,R	B,I,P,R
A-Dom	—	—	—	C,I,R	C,R	C,R
G-Dom	—	—	—	—	I,P,R	I,P,R
U-Dom0	—	—	—	—	—	C,I,P,R

攻击实例	攻击目标	说明
AT(1)	虚拟CPU	调用特权操作读写虚拟CPU
AT(2)	物理内存	调用特权操作映射物理内存
AT(3)	外部存储	访问虚拟机磁盘和主机磁盘
AT(4)	网络	监听虚拟机和主机网络
AT(5)	虚拟机映像	调用虚拟机迁移操作读写虚拟机映像

攻击实例	Xen	Terra	TVD	TVMM
AT(1)	—	√	—	√
AT(2)	—	√	—	√
AT(3)	—	—	√	√
AT(4)	—	—	√	√
AT(5)	—	—	—	√

Trusted virtual machine management model for cloud computing

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 12

References 22

Related Articles 15

Metrics

Recommended 0

[1]	Ling MA, Qiliang FAN, Ting XU, Guanchen GUO, Shenglin ZHANG, Yongqian SUN, Yuzhi ZHANG. Scheduling framework based on reinforcement learning in online-offline colocated cloud environment [J]. Journal on Communications, 2023, 44(6): 90-102.
[2]	Huaqun WANG, Zhe LIU, Debiao HE, Jiguo LI. Identity-based provable data possession scheme for multi-source IoT terminal data in public cloud [J]. Journal on Communications, 2021, 42(7): 52-60.
[3]	Jianhong ZHANG, Menglong WU, Jing WANG, Pei LIU, Zhengtao JIANG, Changgen PENG. Secure and verifiable multi-keyword searchable encryption scheme in cloud [J]. Journal on Communications, 2021, 42(4): 139-149.
[4]	Ruiqi LI, Chunfu JIA, Yafei WANG. Multi-key homomorphic proxy re-encryption scheme based on NTRU and its application [J]. Journal on Communications, 2021, 42(3): 11-22.
[5]	Jiawei ZHANG, Jianfeng MA, Zhuo MA, Teng LI. Time-based and privacy protection revocable and traceable data sharing scheme in cloud computing [J]. Journal on Communications, 2021, 42(10): 81-94.
[6]	Wenjuan WANG, Xuehui DU, Dibin SHAN. Construction method of attack scenario in cloud environment based on dynamic probabilistic attack graph [J]. Journal on Communications, 2021, 42(1): 1-17.
[7]	Youliang TIAN,Qin LUO. Verifiable multi-keyword search scheme based on improved Merkle-Tree authentication method [J]. Journal on Communications, 2020, 41(9): 118-129.
[8]	Na WANG,Kun ZHENG,Junsong FU,Jian LI. Method of ciphertext retrieval in mobile edge computing based on block segmentation [J]. Journal on Communications, 2020, 41(7): 95-102.
[9]	Lindong ZHAO,Wenqin ZHUANG,Jianxin CHEN,Liang ZHOU. Hierarchical task offloading in heterogeneous cellular network:modeling and optimization [J]. Journal on Communications, 2020, 41(4): 34-44.
[10]	Bing LIANG,Wen JI. Multiuser computation offloading for edge-cloud collaboration using submodular optimization [J]. Journal on Communications, 2020, 41(10): 25-36.
[11]	SU Mingfeng,WANG Guojun,LI Renfa. Multidimensional QoS cloud computing resource scheduling method based on stakeholder perspective [J]. Journal on Communications, 2019, 40(6): 102-115.
[12]	CHEN Xingshu,HUA Qiang,WANG Yitong,GE Long,ZHU Yi. Research on low-rate DDoS attack of SDN network in cloud environment [J]. Journal on Communications, 2019, 40(6): 210-222.
[13]	Wanliang WANG, Zelin ZANG, Guoqi CHEN, Hangyao TU, Yule WANG, Linyan LU. Research on optimal two element exchange algorithm for large scale cloud computing server scheduling problem [J]. Journal on Communications, 2019, 40(5): 180-191.
[14]	Tian WANG,Xuewei SHEN,Hao LUO,Baisheng CHEN,Guojun WANG,Weijia JIA. Research progress of trusted sensor-cloud based on fog computing [J]. Journal on Communications, 2019, 40(3): 170-181.
[15]	Xinfeng HE,Junfeng TIAN,Fanming LIU. Survey on trusted cloud platform technology [J]. Journal on Communications, 2019, 40(2): 154-163.