云虚拟化平台可信证明技术研究综述

涂碧波; 程杰; 夏豪骏; 张坤; 孙瑞娜

doi:10.11959/j.issn.1000-436x.2021213

您当前的位置：

首页 >

文章列表页 >

云虚拟化平台可信证明技术研究综述

综述 | 更新时间：2024-06-05

- 云虚拟化平台可信证明技术研究综述
- Overview of research on trusted attestation technology of cloud virtualization platform
- 通信学报 2021年42卷第12期页码：212-225
- 作者机构：
  
  1. 中国科学院信息工程研究所，北京 100093
  2. 中国科学院大学网络空间安全学院，北京 100049
  3. 新疆财经大学信息管理学院，新疆乌鲁木齐 830012
- 作者简介：
  
  [ "涂碧波（1977- ），男，湖北红安人，博士，中国科学院信息工程研究所研究员、博士生导师，主要研究方向为数据中心前沿技术与安全体系" ]
  [ "程杰（1994- ），女，河北秦皇岛人，中国科学院大学博士生，主要研究方向为可信计算与云计算安全" ]
  [ "夏豪骏（1987- ），男，湖北鄂州人，中国科学院大学博士生，中国科学院信息工程研究所工程师，主要研究方向为安全可信嵌入式系统" ]
  [ "张坤（1987- ），女，山东济南人，中国科学院大学博士生，中国科学院信息工程研究所高级工程师，主要研究方向为操作系统、虚拟化安全等" ]
  [ "孙瑞娜（1982- ），女，新疆乌鲁木齐人，中国科学院大学博士生，新疆财经大学讲师，主要研究方向为云安全、软件定义网络" ]
- 基金信息：
  
  广东省重点领域研发计划基金资助项目(2019B010137002)
- DOI：10.11959/j.issn.1000-436x.2021213
  中图分类号： TP309
- 网络出版日期：2021-12，
  
  纸质出版日期：2021-12-25
- 稿件说明：
移动端阅览
涂碧波, 程杰, 夏豪骏, 等. 云虚拟化平台可信证明技术研究综述[J]. 通信学报, 2021,42(12):212-225.

Bibo TU, Jie CHENG, Haojun XIA, et al. Overview of research on trusted attestation technology of cloud virtualization platform[J]. Journal on communications, 2021, 42(12): 212-225.
涂碧波, 程杰, 夏豪骏, 等. 云虚拟化平台可信证明技术研究综述[J]. 通信学报, 2021,42(12):212-225. DOI： 10.11959/j.issn.1000-436x.2021213.

Bibo TU, Jie CHENG, Haojun XIA, et al. Overview of research on trusted attestation technology of cloud virtualization platform[J]. Journal on communications, 2021, 42(12): 212-225. DOI： 10.11959/j.issn.1000-436x.2021213.

摘要

伴随云计算的飞速发展，云平台的安全问题也备受关注。可信计算是云安全体系中重要支撑技术，可信证明是可信计算的一个重要特性，用于验证云虚拟化平台是否具有可信性，为保证云平台安全提供基础。现基于可信证明的定义，系统梳理虚拟化平台的可信根虚拟化、平台身份证明、平台状态证明、虚拟机的可信证明框架等关键技术的研究进展，分析并对比典型方案，探讨现有的工作的局限性，最后指出未来的研究趋势。

Abstract

With the rapid development of cloud computing， the security issues of cloud platforms have also attracted much attention.Trusted computing is an essential supporting technology in the cloud computing security system.Trusted attestation is an important feature in trusted computing.The use of trusted attestation technology verifies whether the cloud virtualization platform is trustworthy， thereby providing a foundation for ensuring the security of the cloud platform.Now based on the definition of trusted attestation， the research progress of key technologies such as the root of trust virtualization， platform identity authentication， platform status certification， and trusted attestation framework for virtual machines were systematically sorted out， typical schemes were analyzed and compared.Furthermore， the limitations of existing work were discussed.Finally， the future research trend of this area were pointed out.

关键词

Keywords

references

朱民 , 涂碧波 , 孟丹 . 虚拟化软件栈安全研究 [J ] . 计算机学报 , 2017 , 40 ( 2 ): 481 - 504 .

ZHU M , TU B B , MENG D . The security research of virtualization software stack [J ] . Chinese Journal of Computers , 2017 , 40 ( 2 ): 481 - 504 .

张玉清 , 王晓菲 , 刘雪峰 , 等 . 云计算环境安全综述 [J ] . 软件学报 , 2016 , 27 ( 6 ): 1328 - 1348 .

ZHANG Y Q , WANG X F , LIU X F , et al . Survey on cloud computing security [J ] . Journal of Software , 2016 , 27 ( 6 ): 1328 - 1348 .

沈昌祥 . 用可信计算构筑云计算安全 [J ] . 中国经贸导刊 , 2017 ( 16 ): 56 - 57 .

SHEN C X . Constructing cloud security with trusted computing [J ] . China Economic ＆ Trade Herald , 2017 ( 16 ): 56 - 57 .

马力 , 祝国邦 , 陆磊 . 《网络安全等级保护基本要求》(GB/T 22239-2019)标准解读 [J ] . 信息网络安全 , 2019 ( 2 ): 77 - 84 .

MA L , ZHU G B , LU L . Baseline for classified protection of cybersecurity (GB/T 22239-2019) standard interpretation [J ] . Netinfo Security , 2019 ( 2 ): 77 - 84 .

COKER G , GUTTMAN J , LOSCOCCO P , et al . Attestation:evidence and trust [C ] // Information and Communications Security . Berlin:Springer , 2008 : 1 - 18 .

施光源 , 张建标 . 可信计算领域中可信证明的研究与进展 [J ] . 计算机应用研究 , 2011 , 28 ( 12 ): 4414 - 4419 .

SHI G Y , ZHANG J B . Research and development of trustworthiness attestation in trusted computing [J ] . Application Research of Computers , 2011 , 28 ( 12 ): 4414 - 4419 .

BRICKELL E , CAMENISCH J , CHEN L Q . Direct anonymous attestation [C ] // Proceedings of the 11th ACM conference on Computer and communications security . New York:ACM Press , 2004 : 132 - 145 .

CHEN L Q , . A DAA scheme using batch proof and verification [C ] // Proceedings of the 3rd International Conference on Trust and Trustworthy Computing . Berlin:Springer , 2010 : 166 - 180 .

SAILER R , ZHANG X , JAEGER T , et al . Design and implementation of a TCG-based integrity measurement architecture [C ] // USENIX Security Symposium . Berkeley:USENIX Association , 2004 : 223 - 238 .

JAEGER T , SAILER R , SHANKAR U . PRIMA:policy-reduced integrity measurement architecture [C ] // Proceedings of the Eleventh ACM Symposium on Access Control Models and Technologies . New York:ACM Press , 2006 : 19 - 28 .

SON J , KOO S , CHOI J , et al . Quantitative analysis of measurement overhead for integrity verification [C ] // Proceedings of the Symposium on Applied Computing . New York:ACM Press , 2017 : 1528 - 1533 .

PORITZ J , SCHUNTER M , VAN HERREWEGHEN E , et al . Property attestation—scalable and privacy-friendly security assessment of peer computers [R ] . IBM Research,Technical Report RZ 3548 , 2004 .

秦宇 , 冯登国 . 基于组件属性的远程证明 [J ] . 软件学报 , 2009 , 20 ( 6 ): 1625 - 1641 .

QIN Y , FENG D G . Component property based remote attestation [J ] . Journal of Software , 2009 , 20 ( 6 ): 1625 - 1641 .

BERGER S , CERES R , GOLDMAN K A , et al . vTPM:virtualizing the trusted platform module [C ] // Proceedings of the 15th Usenix Security Symposium . Berkeley:USENIX Association , 2006 : 305 - 320 .

HE R Y , WU S J , JIANG L . A user-specific trusted virtual environment for cloud computing [J ] . Information Technology Journal , 2013 , 12 ( 10 ): 1905 - 1913 .

严飞 , 石翔 , 李志华 , 等 . VirtinSpector:一种基于UEFI的虚拟机动态安全度量框架设计与实现 [J ] . 四川大学学报(工程科学版) , 2014 , 46 ( 1 ): 22 - 28 .

YAN F , SHI X , LI Z H , et al . VirtinSpector:a UEFI based dynamic secure measurement framework for virtual machine [J ] . Journal of Sichuan University (Engineering Science Edition) , 2014 , 46 ( 1 ): 22 - 28 .

SUN H N , HE R Y , ZHANG Y , et al . eTPM:a trusted cloud platform enclave TPM scheme based on intel SGX technology [J ] . Sensors , 2018 , 18 ( 11 ): 3807 .

STUMPF F , ECKERT C . Enhancing trusted platform modules with hardware-based virtualization techniques [C ] // Proceedings of 2008 Second International Conference on Emerging Security Information,Systems and Technologies . Piscataway:IEEE Press , 2008 : 1 - 9 .

ENGLAND P , LOESER J . Para-virtualized TPM sharing [C ] // International Conference on Trusted Computing . Berlin:Springer , 2008 : 119 - 132 .

WANG J , FAN C , WANG J , et al . SvTPM:a secure and efficient vTPM in the cloud [J ] . arXiv Preprint,arXiv:1905.08493 , 2019 .

刘明达 , 曹慧渊 , 拾以娟 , 等 . 基于SR-IOV的TCM硬件虚拟化构建可信虚拟环境 [J ] . 武汉大学学报(理学版) , 2017 , 63 ( 2 ): 117 - 124 .

LIU M D , CAO H Y , SHI Y J , et al . Building trusted virtual environment by TCM hardware virtualization based on SR-IOV [J ] . Journal of Wuhan University (Natural Science Edition) , 2017 , 63 ( 2 ): 117 - 124 .

胡俊 , 刁子朋 . vTCM:一种基于物理可信计算环境虚拟化的虚拟可信密码模块 [J ] . 山东大学学报(理学版) , 2019 , 54 ( 7 ): 77 - 88 .

HU J , DIAO Z P . vTCM:a virtualized trusted cryptography module based on the virtualization of physical trusted computing environment [J ] . Journal of Shandong University (Natural Science) , 2019 , 54 ( 7 ): 77 - 88 .

黄坚会 , 沈昌祥 , 谢文录 . TPCM 三阶三路安全可信平台防护架构 [J ] . 武汉大学学报(理学版) , 2018 , 64 ( 2 ): 109 - 114 .

HUANG J H , SHEN C X , XIE W L . The TPCM 3P3C defense architecture of safety and trusted platform [J ] . Journal of Wuhan University (Natural Science Edition) , 2018 , 64 ( 2 ): 109 - 114 .

GOYETTE R . A review of vTPM:virtualizing the trusted platform module [J ] . Proceedings of Network Security and Cryptography , 2007 : 1 - 17 .

STUMPF F , BENZ M , HERMANOWSKI M , et al . An approach to a trustworthy system architecture using virtualization [C ] // International Conference on Autonomic and Trusted Computing . Berlin:Springer , 2007 : 191 - 202 .

王丽娜 , 高汉军 , 余荣威 , 等 . 基于信任扩展的可信虚拟执行环境构建方法研究 [J ] . 通信学报 , 2011 , 32 ( 9 ): 1 - 8 .

WANG L N , GAO H J , YU R W , et al . Research of constructing trusted virtual execution environment based on trust extension [J ] . Journal on Communications , 2011 , 32 ( 9 ): 1 - 8 .

谭良 , 齐能 , 胡玲碧 . 虚拟平台环境中一种新的可信证书链扩展方法 [J ] . 通信学报 , 2018 , 39 ( 6 ): 133 - 145 .

TAN L , QI N , HU L B . New extension method of trusted certificate chain in virtual platform environment [J ] . Journal on Communications , 2018 , 39 ( 6 ): 133 - 145 .

王冠 , 郭一清 , 陈建中 . 云环境下可信系统架构与虚拟证书链生成研究 [J ] . 计算机科学与应用 , 2018 , 8 ( 5 ): 738 - 747 .

WANG G , GUO Y Q , CHEN J Z . Research on trusted system architecture and virtual certificate chain in cloud environment [J ] . Computer Science and Application , 2018 , 8 ( 5 ): 738 - 747 .

BENDER A , KATZ J , MORSELLI R . Ring signatures:stronger definitions,and constructions without random oracles [C ] // Theory of Cryptography Conference . Berlin:Springer , 2006 : 60 - 79 .

LIU J Q , ZHAO J , HAN Z . A remote anonymous attestation protocol in trusted computing [C ] // Proceedings of 2008 IEEE International Symposium on Parallel and Distributed Processing . Piscataway:IEEE Press , 2008 : 1 - 6 .

荣星 , 赵勇 . 基于无证书环签名的虚拟机可信证明方案 [J ] . 计算机应用 , 2017 , 37 ( 2 ): 378 - 382 .

RONG X , ZHAO Y . Trustworthiness attestation scheme for virtual machine based on certificateless ring signature [J ] . Journal of Computer Applications , 2017 , 37 ( 2 ): 378 - 382 .

STELTE B , KOCH R , ULLMANN M . Towards integrity measurement in virtualized environments—a hypervisor based sensory integrity measurement architecture (SIMA) [C ] // Proceedings of 2010 IEEE International Conference on Technologies for Homeland Security (HST) . Piscataway:IEEE Press , 2010 : 106 - 112 .

LITTY L , LAGAR-CAVILLA H A ,, LIE D . Hypervisor support for identifying covertly executing binaries [C ] // Proceedings of the 17th USENIX Security Symposium . Berkeley:USENIX Association , 2008 : 243 - 258 .

AZAB A M , NING P , SEZER E C , et al . HIMA:a hypervisor-based integrity measurement agent [C ] // Proceedings of 2009 Annual Computer Security Applications Conference . Piscataway:IEEE Press , 2009 : 461 - 470 .

XING B , HAN Z , CHANG X L , et al . OB-IMA:out-of-the-box integrity measurement approach for guest virtual machines [J ] . Concurrency and Computation:Practice and Experience , 2015 , 27 ( 5 ): 1092 - 1109 .

邢彬 , 韩臻 , 常晓林 , 等 . 基于虚拟机监控技术的可信虚拟域 [J ] . 信息安全学报 , 2016 , 1 ( 1 ): 75 - 94 .

XING B , HAN Z , CHANG X L , et al . Trusted virtual domain based on virtual machine introspection technology [J ] . Journal of Cyber Security , 2016 , 1 ( 1 ): 75 - 94 .

林杰 , 刘川意 , 方滨兴 . IVirt:基于虚拟机自省的运行环境完整性度量机制 [J ] . 计算机学报 , 2015 , 38 ( 1 ): 191 - 203 .

LIN J , LIU C Y , FANG B X . IVirt:runtime environment integrity measurement mechanism based on virtual machine introspection [J ] . Chinese Journal of Computers , 2015 , 38 ( 1 ): 191 - 203 .

JIANG F , CAI Q , GUAN L , et al . Enforcing access controls for the cryptographic cloud service invocation based on virtual machine introspection [C ] // International Conference on Information Security . Berlin:Springer , 2018 : 213 - 230 .

JIANG F J , CAI Q W , LIN J Q , et al . TF-BIV:transparent and fine-grained binary integrity verification in the cloud [C ] // Proceedings of the 35th Annual Computer Security Applications Conference . New York:ACM Press , 2019 : 57 - 69 .

GARFINKEL T , PFAFF B , CHOW J , et al . Terra:a virtual machine-based platform for trusted computing [C ] // Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles . New York:ACM Press , 2003 : 193 - 206 .

SANTOS N , GUMMADI K P , RODRIGUES R . Towards trusted cloud computing [J ] . HotCloud , 2009 , 9 ( 9 ): 3 .

WANG H Z , HUANG L S . An improved trusted cloud computing platform model based on DAA and privacy CA scheme [C ] // Proceedings of 2010 International Conference on Computer Application and System Modeling (ICCASM 2010) . Piscataway:IEEE Press , 2010 : 13 - 33 .

荣星 , 沈昌祥 , 江荣 , 等 . 基于双层非平衡散列树的云平台远程验证方案 [J ] . 通信学报 , 2017 , 38 ( 9 ): 31 - 38 .

RONG X , SHEN C X , JIANG R , et al . Remote attestation scheme for cloud platform based on double-layer unbalanced hash tree [J ] . Journal on Communications , 2017 , 38 ( 9 ): 31 - 38 .

KAMHOUA C A , RUAN A B , MARTIN A , et al . On the feasibility of an open-implementation cloud infrastructure:a game theoretic analysis [C ] // Proceedings of 2015 IEEE/ACM 8th International Conference on Utility and Cloud Computing (UCC) . Piscataway:IEEE Press , 2015 : 217 - 226 .

XIN S Y , ZHAO Y , LI Y . Property-based remote attestation oriented to cloud computing [C ] // Proceedings of 2011 Seventh International Conference on Computational Intelligence and Security . Piscataway:IEEE Press , 2011 : 1028 - 1032 .

AWAD A , KADRY S , LEE B , et al . Property based attestation for a secure cloud monitoring system [C ] // Proceedings of 2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing . Piscataway:IEEE Press , 2014 : 934 - 940 .

VARADHARAJAN V , TUPAKULA U . Counteracting security attacks in virtual machines in the cloud using property based attestation [J ] . Journal of Network and Computer Applications , 2014 , 40 : 31 - 45 .

ZHANG T W , LEE R B . CloudMonatt:an architecture for security health monitoring and attestation of virtual machines in cloud computing [C ] // Proceedings of the 42nd Annual International Symposium on Computer Architecture . New York:ACM Press , 2015 : 362 - 374 .

ZHOU Z , WU L , HONG Z , et al . DTSTM:dynamic tree style trust measurement model for cloud computing [J ] . KSII Transactions on Internet and Information Systems , 2014 , 8 ( 1 ): 305 - 325 .

胡玲碧 , 谭良 . 云环境中可信虚拟平台的远程证明方案研究 [J ] . 软件学报 , 2018 , 29 ( 9 ): 2874 - 2895 .

HU L B , TAN L . Research on trusted virtual platform remote attestation method in cloud computing [J ] . Journal of Software , 2018 , 29 ( 9 ): 2874 - 2895 .

LAUER H , KUNTZE N . Hypervisor-based attestation of virtual environments [C ] // Proceedings of 2016 IEEE Conferences on Ubiquitous Intelligence ＆ Computing,Advanced and Trusted Computing,Scalable Computing and Communications,Cloud and Big Data Computing,Internet of People,and Smart World Congress (UIC/ATC/ScalCom/CBDCom/IoP/SmartWorld) . Piscataway:IEEE Press , 2016 : 333 - 340 .

王伟 , 陈兴蜀 , 兰晓 , 等 . 基于 VMI 的虚拟机远程证明方案 [J ] . 网络与信息安全学报 , 2018 , 4 ( 12 ): 32 - 43 .

WANG W , CHEN X S , LAN X , et al . VMI-based virtual machine remote attestation scheme [J ] . Chinese Journal of Network and Information Security , 2018 , 4 ( 12 ): 32 - 43 .

浏览量

674

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于SGX的虚拟机动态迁移安全增强方法

虚拟平台环境中一种新的可信证书链扩展方法

基于双层非平衡散列树的云平台远程验证方案

Hadoop云平台用户动态访问控制模型

基于TCM的安全Windows平台设计与实现