基于SGX的虚拟机动态迁移安全增强方法

doi:10.11959/j.issn.1000-436x.2017183

Abstract

Abstract:

The virtual machine may face the problem of information leakage in live migration.Therefore,a dynamic memory protection technique SGX was introduced and a security enhancement live migration method based on KVM environment was proposed.Firstly,on both sides of migration,a hardware-isolated secure execution environment centered SGX was built.It guaranteed the security of operations like encryption and integrity measurement and also ensured the security of private data.An encrypted channel to transfer migration data based on the remote attestation between the secure execution environments of both migration sides was constructed.And the mutual authentication of both sides’ platform integrity was realized.Finally,the security enhancement effect and did the experiment was analyzed.The results shows that the introduction of SGX won’t cause much negative effect to the migration performance.

Key words: virtualization, live migration, Intel SGX, remote attestation, integrity measurement

CLC Number:

TP391

Yuan SHI,Huan-guo ZHANG,Bo ZHAO,Zhao YU. Security-enhanced live migration based on SGX for virtual machine[J]. Journal on Communications, 2017, 38(9): 65-75.

Figures/Tables 16

References 18

[1]	邹庆欣, 郝志宇, 云晓春 . 基于运行阶段特征的虚拟机实时迁移技术[J]. 通信学报, 2016,37(1): 170-179.
	ZOU Q X , HAO Z Y , YUN X C . Live migration based on the characteristics of operation stages for virtual machine[J]. Journal on Communications, 2016,37(6): 170-179.
[2]	ZHANG H G , HAN W B , LAI X J ,et al. Survey on cyberspace security[J]. Science China Information Sciences, 2015,58(11): 1-43.
[3]	OBERHEIDE J , COOKE E , JAHANIAN F . Empirical exploitation of live virtual machine migration[C]// BlackHat DC convention. 2008.
[4]	VAN C A , PIETERS W , WIERINGA R . Security implications of virtualization:a literature study[C]// IEEE International Conference on Computational Science and Engineering (CES). 2009: 353-358.
[5]	YAMUNADEVI L , ARUNA P , DEVI D S ,et al. Security in virtual machine live migration for KVM[C]// International Conference on Process Automation,Control and Computing (PACC). 2011: 1-6.
[6]	CHEN X , GAO X , WAN H ,et al. Application-transparent live migration for virtual machine on network security enhanced hypervisor[J]. China Communications, 2011,8(3): 32-42.
[7]	NAGIN K , HADAS D , DUBITZKY Z ,et al. Inter-cloud mobility of virtual machines[C]// International Conference on Systems and Storage. 2011: 1-12.
[8]	PATIL V P , PATIL G A . Migrating process and virtual machine in the cloud:load balancing and security perspectives[J]. International Journal of Advanced Computer Science ＆ Information Technology, 2012,1(1): 11-19.
[9]	BIN S N A , MASUDA H . Evaluation of a secure live migration of virtual machines using IPSEC implementation[C]// IEEE International Conference on Advanced Applied Informatics. 2014: 687-693.
[10]	范伟, 孔斌, 张珠君 ,等. KVM 虚拟化动态迁移技术的安全防护模型[J]. 软件学报, 2016,27(6): 1402-1416.
	FAN W , KONG B , ZHANG Z J ,et al. Security protection model on live migration for KVM virtualization[J]. Journal of Software, 2016,27(6): 1402-1416.
[11]	WANG W , ZHANG Y , LIN B ,et al. Secured and reliable VM migration in personal cloud[C]// International Conference on Computer Engineering and Technology. 2010: 705-709.
[12]	ASLAM M , GEHRMANN C , BJORKMAN M . Security and trust preserving VM migrations in public clouds[C]// IEEE International Conference on Trust,Security and Privacy in Computing and Communications. 2012: 869-876.
[13]	ANATI I , GUERON S , JOHNSON S ,et al. Innovative technology for CPU based attestation and sealing[C]// International Workshop on Hardware and Architectural Support for Security and Privacy (HASP). 2013.
[14]	HOEKSTRA M , LAL R , PAPPACHAN P ,et al. Using innovative instructions to create trustworthy software solutions[C]// International Workshop on Hardware and Architectural Support for Security and Privacy (HASP). 2013.
[15]	Mckeen F , ALEXANDROVICH I , BERENZON A ,et al. Innovative instructions and software model for isolated execution[C]// International Workshop on Hardware and Architectural Support for Security and Privacy (HASP). 2013.
[16]	BERGER S , CACERES R ,et al. vTPM:virtualizing the trusted platform module[C]// The 15th conference on USENIX Security Symposium. 2006: 305-320.
[17]	SHI Y , ZHAO B , YU Z ,et al. A security-improved scheme for virtual TPM based on KVM[J]. Wuhan University Journal of Natural Sciences, 2015,20(6): 505-511.
[18]	FAN P R , ZHAO B , SHI Y . An improved vTPM-VM live migration protocol[J]. Wuhan University Journal of Natural Sciences, 2015,20(6): 512-520.

Metrics

Recommended 0

No Suggested Reading articles found!

API	含义
void tpm_state_read(unsigned char*buffer,uint32_t buflen)	读取vTPM易失性状态
void tpm_state_write(unsigned char*buffer,uint32_t buflen)	写入vTPM易失性状态
void qemu_volatilestate_enc(ObjectData volatiledata,void data)	易失性状态加密
void qemu_volatilestate_dec(ObjectData volatiledata,void data)	易失性状态解密

分组	Normal/ms	KVM/ms	SGX-based/ms
第1组	23 132	23 476	23 563
第2组	23 298	23 301	23 381
第3组	23 231	23 562	23 633
第4组	23 138	23 368	23 456
第5组	23 272	23 591	23 657

Security-enhanced live migration based on SGX for virtual machine

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 16

References 18

Related Articles 15

Metrics

Recommended 0

[1]	Ling MA, Qiliang FAN, Ting XU, Guanchen GUO, Shenglin ZHANG, Yongqian SUN, Yuzhi ZHANG. Scheduling framework based on reinforcement learning in online-offline colocated cloud environment [J]. Journal on Communications, 2023, 44(6): 90-102.
[2]	Zexi XU, Lei ZHUANG, Kunli ZHANG, Mingyu GUI. Online placement algorithm of service function chain based on knowledge graph [J]. Journal on Communications, 2022, 43(8): 41-51.
[3]	Hang QIU, Hongbo TANG, Wei YOU, Yu ZHAO, Yi BAI. QGA-based network service extension algorithm in NFV [J]. Journal on Communications, 2022, 43(11): 44-52.
[4]	Bibo TU, Jie CHENG, Haojun XIA, Kun ZHANG, Ruina SUN. Overview of research on trusted attestation technology of cloud virtualization platform [J]. Journal on Communications, 2021, 42(12): 212-225.
[5]	Ze’nan WANG, Jiao ZHANG, Shuo WANG, Tao HUANG, F.Richard Yu. Service chain deployment algorithms for deterministic end-to-end delay upper bound [J]. Journal on Communications, 2021, 42(11): 66-78.
[6]	Kan WANG,Nan ZHAO,Junhuai LI,Huaijun WANG. Service function chain embedding algorithm with wireless multicast in mobile edge computing network [J]. Journal on Communications, 2020, 41(10): 37-47.
[7]	Chen SUN,Jun BI,Zhilong ZHENG,Shuhe WANG,Hongxin HU. MicroNF:a microservice-based hybrid framework for NFV [J]. Journal on Communications, 2019, 40(8): 54-59.
[8]	Zengyin YANG,Hewu LI,Qian WU,Jianping WU,Jun LIU. Emulation platform for inter-domain protocols validation of integrated space-terrestrial network [J]. Journal on Communications, 2019, 40(5): 1-12.
[9]	Ruyan WANG,Yishuang GAO,Xiao CHEN. Reliable transmission mechanism with differentiated protection in virtualized fiber-wireless access network [J]. Journal on Communications, 2019, 40(3): 36-47.
[10]	Xinfeng HE,Junfeng TIAN,Fanming LIU. Survey on trusted cloud platform technology [J]. Journal on Communications, 2019, 40(2): 154-163.
[11]	Julong LAN,Zijin JIN,Penghao SUN,Yiming JIANG,Yue WANG. Service function chain construct algorithm based on reliability [J]. Journal on Communications, 2019, 40(1): 64-70.
[12]	Ruyan WANG,Ningning XU. Resource allocation mechanism in the TWDM-PON and C-RAN joint architecture with hybrid energy supply [J]. Journal on Communications, 2018, 39(9): 94-109.
[13]	Tao HUANG,Jiang LIU,Chen ZHANG,Liang WEI,Yunjie LIU. Survey on SDN-based network testbeds [J]. Journal on Communications, 2018, 39(6): 155-168.
[14]	Hongqi ZHANG,Rui HUANG,Yingjie YANG,Dexian CHANG,Liancheng ZHANG. Cross-domain service chain mapping mechanism based on Q-learning [J]. Journal on Communications, 2018, 39(12): 102-112.
[15]	Xingshu CHEN,Wei WANG,Xin JIN. Label-based protection scheme of vTPM secret [J]. Journal on Communications, 2018, 39(11): 170-180.