APM：适用于IaaS平台的agent保护机制

樊佩茹; 赵波; 倪明涛; 陈治宏

doi:10.11959/j.issn.1000-436x.2018069

您当前的位置：

首页 >

文章列表页 >

APM：适用于IaaS平台的agent保护机制

学术通信 | 更新时间：2024-06-05

- APM：适用于IaaS平台的agent保护机制
- APM:agent protection mechanism applied for IaaS platform
- 通信学报 2018年39卷第4期页码：176-188
- 作者机构：
  
  武汉大学国家网络安全学院空天信息安全与可信计算教育部重点实验室，湖北武汉430072
- 作者简介：
  
  [ "樊佩茹（1990-），女，山西忻州人，武汉大学博士生，主要研究方向为虚拟化与云安全。" ]
  [ "赵波（1972-），男，山东青岛人，武汉大学教授、博士生导师，主要研究方向为可信计算、虚拟化安全、嵌入式系统安全等。" ]
  [ "倪明涛（1977-），男，湖北天门人，武汉大学博士生，主要研究方向为可信计算、物联网安全等。" ]
  [ "陈治宏（1984-），女，重庆人，武汉大学博士生，主要研究方向为虚拟化与云存储安全。" ]
- 基金信息：
  
  国家高技术研究发展计划（“863”计划）基金资助项目(2015AA016002);国家重点基础研究发展计划（“973”计划）基金资助项目(2014CB340600)
- DOI：10.11959/j.issn.1000-436x.2018069
  中图分类号： TP391
- 网络出版日期：2018-04，
  
  纸质出版日期：2018-04-25
- 稿件说明：
移动端阅览
樊佩茹, 赵波, 倪明涛, 等. APM：适用于IaaS平台的agent保护机制[J]. 通信学报, 2018,39(4):176-188.

Peiru FAN, Bo ZHAO, Mingtao NI, et al. APM:agent protection mechanism applied for IaaS platform[J]. Journal on communications, 2018, 39(4): 176-188.
樊佩茹, 赵波, 倪明涛, 等. APM：适用于IaaS平台的agent保护机制[J]. 通信学报, 2018,39(4):176-188. DOI： 10.11959/j.issn.1000-436x.2018069.

Peiru FAN, Bo ZHAO, Mingtao NI, et al. APM:agent protection mechanism applied for IaaS platform[J]. Journal on communications, 2018, 39(4): 176-188. DOI： 10.11959/j.issn.1000-436x.2018069.

摘要

在IaaS平台中，虚假数据的存在将对测评结果造成混淆，无法为用户给出公平公正的平台选择依据。针对该问题，提出一种适用于IaaS平台的测试代理agent保护机制（APM

agent protection mechanism），在不需要额外软硬件支持的条件下保证agent的完整性和命令执行的正确性；同时提出一种基于质询的APM有效性验证方法，及时发现失效APM所在IaaS节点以止损。实现了基于APM的实验环境，对APM的有效性和性能开销进行测试。实验结果表明，该机制可以有效保护agent的完整性及其执行命令的正确性，且对IaaS平台引入的性能代价较小。

Abstract

The interference of false or fake test data on IaaS platform will contaminate the evaluation results

confusing users’ choices for IaaS services.To solve this problem

an agent protection mechanism (APM) for IaaS platform test environment was proposed.It ensured the integrity and commanded validity of the agent without additional hardware or software.Also an effectiveness verification approach based on requests was presented to detect APM failure problems timely.An experiment environment according to APM was implemented to evaluate the effectiveness and the performance overhead.Experimental results show that the APM is effective in protecting agent integrity and command validation

and its performance overhead is minor.

关键词

Keywords

references

RIDDLE A R , CHUNG S M . A survey on the security of hypervisors in cloud computing [C ] // International Conference on Distributed Computing Systems Workshops . 2015 : 100 - 104 .

SHAHZAD F . State-of-the-art survey on cloud computing security challenges,approaches and solutions [J ] . Procedia Computer Science , 2014 , 37 : 357 - 362 .

SARAVANAKUMAR C , ARUN C . Survey on interoperability,security,trust,privacy standardization of cloud computing [C ] // International Conference on Contemporary Computing and Informatics . 2015 : 977 - 982 .

Common Criteria Project Sponsoring Organizations . Common criteria for information technology security evaluation:Version 2.1 [S ] . 2004 .

Trusted Computing Platform Alliance . Main specification:Version 1.1 [S ] . 2002 .

赵波 , 戴忠华 , 向騻 , 等 . 一种云平台可信性分析模型建立方法 [J ] . 软件学报 , 2016 , 27 ( 6 ): 1349 - 1365 .

ZHAO B , DAI Z H , XIANG S , et al . Model constructing method for analyzing the trusty of cloud [J ] . Journal of Software , 2016 , 27 ( 6 ): 1349 - 1365 .

KING T M , GANTI A S . Migrating autonomic self-testing to the cloud [C ] // 2010 Third International Conference on Software Testing,Verification,and Validation Workshops (ICSTW) . 2010 : 438 - 443 .

ZECH P , . Risk-based security testing in cloud computing environments [C ] // IEEE International Conference on Software Testing . IEEE Computer Society , 2011 : 411 - 414 .

KHAN I , REHMAN H , ZAHID A . Design and deployment of a trusted eucalyptus cloud [C ] // 2011 IEEE International Conference on Cloud Computing (CLOUD) . 2011 : 380 - 387 .

PHAM C , CHEN D , KALBARCZYK Z , et al . CloudVal:a framework for validation of virtualization environment in cloud Infrastructure [C ] // International Conference on Dependable Systems ＆ Networks . 2011 : 189 - 196 .

SHAIKH R , SASIKUMAR M . Trust model for measuring security strength of cloud computing service [J ] . Procedia Computer Science , 2015 , 45 : 380 - 389 .

CARBONE M , CUI W , LU L , et al . Mapping kernel objects to enable systematic integrity checking [C ] // ACM Conference on Computer and Communications Security . 2009 : 555 - 565 .

谢亚龙 , 丁丽萍 , 林渝淇 , 等 . ICFF:一种 IaaS 模式下的云取证框架 [J ] . 通信学报 , 2013 , 34 ( 5 ): 200 - 206 .

XIE Y L,DING , L P , LIN Y Q , et al . ICFF:a cloud forensics framework under the IaaS model [J ] . Journal of Communications , 2013 , 34 ( 5 ): 200 - 206 .

PAZZAGLIA J C , LOTZ V , CERDA V C , et al . Advanced security service certificate for SOA:certified services go digital [M ] . Vieweg Teubner , 2011 .

ARJONA M , HARHANI R , MUNOZ A . An engineering process to address security challenges in cloud computing [C ] // ASE Bigdata/ Social Com/Cybersecurity Conference . 2014 : 1 - 12 .

JAATUN M G , MELAND P H , BERNSMED K , et al . A briefing on cloud security challenges and opportunities [R ] . Cloud Security Whitepaper , 2013 .

MCCUNE J M , LI Y , QU N , et al . TrustVisor:efficient TCB reduction and attestation [C ] // Security and Privacy . 2010 : 143 - 158 .

MUNOZ A , MAFIA A . Software and hardware certification techniques in a combined certification model [C ] // 11th International Conference on Security and Cryptography (SECRYPT) . 2014 : 1 - 6 .

WU L , ZHAN J , ZHAO Y , et al . A trusted evidence collection method based on the trusted third party for cloud platform [J ] . International Journal of Distributed Sensor Networks , 2015 , 501 :984964.

ZHAI Y , CAO Q , CHASE J , et al . TapCon:practical third-party attestation for the cloud [C ] // 9th Workshop on Hot Topics in Cloud Computing (HotCloud 17) , 2017 : 1 - 7 .

HUNT T , ZHU Z , XU Y , et al . Ryoan:a distributed sandbox for untrusted computation on secret data [C ] // Usenix Conference on Operating Systems Design and Implementation . USENIX Association , 2016 : 533 - 549 .

RILEY R , JIANG X , XU D . Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing [C ] // International Symposium on Recent Advances in Intrusion Detection,RAID 2008 . 2008 : 1 - 20 .

HUA J , SAKURAI K . Barrier:a lightweight hypervisor for protecting kernel integrity via memory isolation [C ] // ACM Symposium on Applied Computing . 2012 : 1470 - 1477 .

WANG Z , JIANG X . HyperSafe:a lightweight approach to provide lifetime hypervisor control-flow integrity [C ] // Security and Privacy . 2010 : 380 - 395 .

ZHANG F , WANG J , SUN K , et al . HyperCheck:a hardware-assisted integrity monitor [J ] . IEEE Transactions on Dependable and Secure Computing , 2014 , 11 ( 4 ): 332 - 344 .

AZAB A M , NING P , WANG Z , et al . HyperSentry:enabling stealthy in-context measurement of hypervisor integrity [C ] // ACM Conference on Computer and Communications Security . 2010 : 38 - 49 .

LIN K J , WANG C Y . Using TPM to improve boot security at BIOS layer [C ] // IEEE International Conference on Consumer Electronics . 2012 : 376 - 377 .

REN J , QI Y , DAI Y , et al . AppSec:a safe execution environment for security sensitive applications [C ] // ACM Sigplan/Sigops International Conference on Virtual Execution Environments . 2015 : 187 - 199 .

ZHAI Y , YIN L , CHASE J , et al . CQSTR:securing cross-tenant applications with cloud containers [C ] // ACM Symposium on Cloud Computing . 2016 : 223 - 236 .

HUANG Z , ZHENG T , SHI Y , et al . A dynamic detection method against ROP and JOP [C ] // International Conference on Systems and Informatics . 2012 : 1072 - 1077 .

BRAR N S , DHINDSA K S . Study of virtual side channel attack in cloud computing a review [J ] . International Journal of Engineering Development and Research , 2015 , 3 ( 3 ): 1 - 6 .

MCCUNE J M , PARNO B J , PERRIG A , et al . Flicker:An execution infrastructure for TCB minimization [C ] // ACM European Conference on Computer Systems . 2008 : 315 - 328 .

BAUER J , GRUHN M , FREILING F C . Lest we forget:cold-boot attacks on scrambled DDR3 memory [J ] . Digital Investigation , 2016 , 16 : S65 - S74 .

刘川意 , 林杰 , 唐博 . 面向云计算模式运行环境可信性动态验证机制 [J ] . 软件学报 , 2014 , 25 ( 3 ): 662 - 674 .

LIU C Y , LIN J , TANG B . Dynamic trustworthiness verification mechanism for trusted cloud execution Environment [J ] . Journal of Software , 2014 , 25 ( 3 ): 662 - 674 .

WANG Z , JIANG X . HyperSafe:a lightweight approach to provide lifetime hypervisor control-flow integrity [C ] // IEEE Symposium on Security and Privacy . 2010 : 380 - 395 .

刘贵堂 , 周正 , 周鲁苹 . 软件行为的一种静态可信度量模型 [J ] . 海军航空工程学院学报 , 2012 , 27 ( 4 ): 459 - 463 .

LIU G T , ZHOU Z , ZHOU L P . A static trustworthy measurement model for software behaviors [J ] . Journal of Naval Aeronautical and Astronautical University , 2012 , 27 ( 4 ): 459 - 463 .

SHI W C , ZHOU H W , Y J H , et al . DCFI-Checker:checking kernel dynamic control flow integrity with performance monitoring counter [J ] . China Communications , 2014 , 11 ( 9 ): 31 - 46 .

PENG G , PAN X , ZHANG H , et al . Dynamic trustiness authentication framework based on software's behavior integrity [C ] // The International Conference for Young Computer Scientists . 2008 : 2283 - 2288 .

吴涛 , 杨秋松 , 贺也平 . 基于邻接点的 VMM 动态完整性度量方法 [J ] . 通信学报 , 2015 , 36 ( 9 ): 169 - 180 .

WU T , YANG Q S , HE Y . Method of dynamic integrity measurement for VMM based on adjacency data [J ] . Journal of Communications , 2015 , 36 ( 9 ): 169 - 180 .

TIAN-GE S I , ZHANG Y X , DAI Y Q . L-BLP security model in local area network [J ] . Acta Electronica Sinica , 2007 , 35 ( 5 ): 1005 - 1008 .

浏览量

1034

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

构件化业务流程重组应用服务器可信性度量方法研究