基于TCM的安全Windows平台设计与实现

冯伟; 秦宇; 冯登国; 杨波; 张英骏

doi:10.11959/j.issn.1000-436x.2015139

您当前的位置：

首页 >

文章列表页 >

基于TCM的安全Windows平台设计与实现

学术论文 | 更新时间：2024-06-05

- 基于TCM的安全Windows平台设计与实现
- Design and implementation of secure Windows platform based on TCM
- 通信学报 2015年36卷第8期页码：91-103
- 作者机构：
  
  中国科学院软件研究所可信计算与信息保障实验室，北京 100190
- 作者简介：
  
  [ "冯伟（1986-），男，湖北荆州人，中国科学院软件研究所博士生，主要研究方向为可信计算、网络与系统安全。" ]
  [ "秦宇（1979-），男，重庆人，中国科学院软件研究所高级工程师，主要研究方向为可信计算、网络与系统安全。" ]
  [ "冯登国（1965-），男，陕西靖边人，中国科学院软件研究所研究员，主要研究方向为可信计算与信息保障、网络与信息安全。" ]
  [ "杨波（1988-），男，河南沁阳人，中国科学院软件研究所博士生，主要研究方向为可信计算、移动平台匿名系统。" ]
  [ "张英骏（1990-），男，河北秦皇岛人，中国科学院软件研究所硕士生，主要研究方向为可信计算与信息保障。" ]
- 基金信息：
  
  国家自然科学基金资助项目(61202414);国家自然科学基金资助项目(91118006)
- DOI：10.11959/j.issn.1000-436x.2015139
  中图分类号： TP309
- 网络出版日期：2015-08，
  
  纸质出版日期：2015-08-25
- 稿件说明：
移动端阅览
冯伟, 秦宇, 冯登国, 等. 基于TCM的安全Windows平台设计与实现[J]. 通信学报, 2015,36(8):91-103.

Wei FENG, Yu QIN, Deng-guo FENG, et al. Design and implementation of secure Windows platform based on TCM[J]. Journal on communications, 2015, 36(8): 91-103.
冯伟, 秦宇, 冯登国, 等. 基于TCM的安全Windows平台设计与实现[J]. 通信学报, 2015,36(8):91-103. DOI： 10.11959/j.issn.1000-436x.2015139.

Wei FENG, Yu QIN, Deng-guo FENG, et al. Design and implementation of secure Windows platform based on TCM[J]. Journal on communications, 2015, 36(8): 91-103. DOI： 10.11959/j.issn.1000-436x.2015139.

摘要

为了解决 Windows 系统的完整性度量与证明问题，提出了一种基于可信密码模块 TCM(trusted cryptography module)的安全Windows平台方案。通过扩展Windows内核实现了2种安全模式：在度量模式下，所有加载的可执行程序都会被度量，度量值由 TCM 提供保护和对外认证；在管控模式下，度量值会进一步与管理员定制的白名单进行匹配，禁止所有不在白名单中的程序执行。实验分析表明，该方案可以增强Windows系统的安全性，抵抗一些软件攻击行为；同时，系统平均性能消耗在20～30ms之间，不会影响Windows的正常运行。

Abstract

A secure Windows platform solution based on TCM was proposed to solve the integrity measurement and attestation problem of the Windows system.Two security modes were realized by extending the Windows kernel:in the measurement mode

all executable contents that were loaded onto the Windows system were measured

and the TCM provided the protection and outward attestation for these measurements; and in the control mode

the measurements were further compared with a whitelist customized by an administrator

and all the programs that were not included in the whitelist would be prohibited from running.Experiment analysis shows that proposed solution can enhance the security of Windows platform and resist some software attacks; and at the same time

the average performance overhead is about 20～30ms

which will not influence the normal running of Windows.

关键词

Keywords

references

Available online [EB/OL ] . http://web.vrv.com.cn/news_detail/newsId=e7f4db6b-7321-4fc3-b475-86eed3e83377.html http://web.vrv.com.cn/news_detail/newsId=e7f4db6b-7321-4fc3-b475-86eed3e83377.html .

国家密码管理局 . 可信计算密码支撑平台功能与接口规范 [S ] . 2007 .

Chinese Commercial Cryptography Administration Office . Functionality and Interface Specification of Cryptographic Support Platform for Trusted Computing [S ] . 2007 .

Trusted Computing Group . Trusted Platform Module Main Specification [S ] . Version 1.2,Revision 103 2007 .

BRYAN P , JONATHAN M M , ADRIAN P . Bootstrapping trust in commodity computers [A ] . Proceedings of the IEEE Symposium on Security and Privacy [C ] . 2010 . 414 - 429 .

SAILER R , ZHANG X L , JAEGER T , et al . Design and implementation of a TCG-based integrity measurement architecture [A ] . Proceedings of USENIX Security '04 [C ] . Berkeley :USENIX Association, 2004 . 223 - 238 .

JAEGER T , SAILER R , SHANKAR U . PRIMA:policy-reduced integrity measurement architecture [A ] . In Proceedings of the 11th ACM Symposium on Access Control Models and Technologies [C ] . New York : ACM Press , 2006 . 19 - 28 .

冯登国 , 秦宇等 . 可信计算技术研究 [J ] . 计算机研究与发展 , 2011 , 48 ( 8 ): 1332 - 1349 .

FENG D G , QIN Y , et al . Research on trusted computing technology [J ] . Journal of Computer Research and Development , 2011 , 48 ( 8 ): 1332 - 1349 .

Trusted Computing Group . Trusted Platform Module Library:Part 1-Part 4 [S ] . Family 2.0,Level 00 Revision 00.96 , 2013 .

NUNO S , RODRIGO R , KRISHNA P.G , STEFAN S . Policy-sealed data:a new abstraction for building trusted cloud services [A ] . Proceedings of the 21st USENIX Security Symposium [C ] . Bellevue,WA , 2012 . 10 .

KURT D , JOHANNES W . Implementation aspects of mobile and embedded trusted computing [A ] . Proceedings of the 2nd International Conference on Trusted Computing [C ] . 2009 . 29 - 44 .

FENG W , FENG D G , WEI G , et al . TEEM:a user-oriented trusted mobile device for multi-platform security applications [A ] . Trust and Trustworthy Computing [C ] . 2013 . 133 - 141 .

FENG W , QIN Y , FENG D G , et al . Mobile trusted agent(MTA):build user-based trust for general-purpose computer platform [A ] . Proceedings of Network and System Security [C ] . Springer Berlin Heidelberg , 2013 . 307 - 320 .

CHEN C , HIMANSHU R , STEFAN S , ALEC W . cTPM:a cloud TPM for cross-device trusted applications [A ] . Proceedings of 11th USENIX Symposium on Networked Systems Design and Implementation [C ] . DEATTLE,WA , 2014 . 187 - 201 .

CHEN L Q , LI J T . Flexible and scalable digital signatures in TPM 2.0 [A ] . Proceedings of ACM SIGSAC Conference on Computer and Communications Security [C ] . New York,NY,USA , 2013 . 37 - 48 .

NAUMAN M,KHAN S , ZHANG X , SEIFERT J P . Beyond kernel-level integrity measurement:enabling remote attestation for the Android platform [A ] . Trust and Trustworthy Computing [C ] . 2010 . 1 - 15 .

ZHANG X W , JEAN-PIERRE S , ONUR A . Design and implementation of efficient integrity protection for open mobile platforms [J ] . IEEE Transactions on Mobile Compuring , 2014 , 13 ( 1 ): 188 - 201 .

LI Y L , JONATHAN M.M , ADRIAN P . SBAP:software-based attestation for peripherals [A ] . Proceedings of the 3rd International Conference on Trust and Trustworthy Computing [C ] . 2010 .

LI Y L , JONATHAN M M , ADRIAN P . VIPER:verifying the integrity of PERipherals' firmware [A ] . Proceedings of the 18th ACM Conference on Computer and Communications Security [C ] . 2011 . 3 - 16 .

KARIM E D,AURÉLIEN F , DANIELE P , GENE T . SMART:secure and minimal architecture for(establishing a dynamic)root of trust [A ] . Network and Distributed System Security Symposium(NDSS) [C ] . 2012 .

SPARKS E R . A security assessment of trusted platform modules [R ] . Technical Report TR2007-597,Dartmouth College , 2007 .

张帆等 . Windows 驱动开发技术详解 [M ] . 北京 : 电子工业出版社 , 2008 .

ZHANG F , et al . Windows Driver Development Internals [M ] . Beijing : Publishing House of Electronics Industry of ChinaPress , 2008 .

潘爱民 . Windows内核原理与实现 [M ] . 北京 : 电子工业出版社 , 2010 .

PAN A M . Windows Kernel Principle and Realization [M ] . Beijing : Publishing House of Electronics Industry of ChinaPress , 2010 .

谭文 , 邵坚磊 . 天书夜读-从汇编语言到Windows内核编程 [M ] . 北京 : 电子工业出版社 , 2008 .

TAN W , SHAO J L . Reading Sanscrit at Midnight – From Assembly Language to Windows Kernel programming [M ] . Beijing : Publishing House of Electronics Industry of ChinaPress , 2008 .

浏览量

2589

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

理性安全的公平两方比较协议

云虚拟化平台可信证明技术研究综述

可信云平台技术综述

基于标签的vTPM私密信息保护方案

基于TPA云联盟的数据完整性验证模型