CN103841198A

CN103841198A - Cleanroom cloud computing data processing method and system

Info

Publication number: CN103841198A
Application number: CN201410083476.6A
Authority: CN
Inventors: 王国军; 刘琴; 刘湘勇; 齐芳
Original assignee: Central South University
Current assignee: Central South University
Priority date: 2014-03-07
Filing date: 2014-03-07
Publication date: 2014-06-04
Anticipated expiration: 2034-03-07
Also published as: CN103841198B

Abstract

The invention discloses a cleanroom cloud computing data processing method and system. According to the cleanroom cloud computing data processing method and system, a cleanroom cloud computing model serves as the framework, a cleanroom state security framework establishing technology, a cleanroom state security migration technology and a cleanroom state real-time monitoring technology serve as technological means, and the cleanroom cloud computing model is composed of a trusted virtual machine monitor (TVMM), a trusted node manager (TNM) and a trusted node (TN). When the integrity of an execution environment is destroyed, the trusted virtual machine monitor gives an alarm to a user. The cleanroom cloud computing data processing method and system have the advantage of being high in safety performance.

Description

A kind of clean room cloud computing data processing method and system

Technical field

The present invention relates to a kind of clean room cloud computing data processing method and system.

Background technology

Cloud computing technology is one of the most popular topic of computer realm in recent years, is becoming one of of paramount importance trend of following computing technique development.The internationally famous Gartner of science shop organizes the information of every annual meeting synthesise various to issue IT technology trends, and chooses the ten large key technologies that next three years merits attention most.This is organized in the report of up-to-date issue in 2014, and cloud computing technology remains one of ten great strategy technological trends.In addition, the research report of the up-to-date issue of the IDC of market research agency is produced and is claimed, cloud computing technology produces far-reaching influence to IT market, and it not only can be for supplier creates many new chances, and is promoting the variation of conventional I T industry generation essence.IDC prediction, cloud computing in 2014, by the consumption that drives 100,000,000,000 dollars, increased by 25% than 2013; And the underlying hardware construction such as China's cloud computing centers in 2014 can peak, cloud computing architecture market in general scale to 2015 year will exceed 2,000,000,000 dollars.

Cloud computing technology has now become one of guidance quality index of a national industry and information security.In September, 2009, U.S. government has announced a long-term cloud computing policy.The cloud computing deployment of government department, in " report of digital Britain " of within 2009, issuing, is appealed to strengthen by Britain.Korean government determines, before 2014, drops into huge fund to cloud computing field, strives for making Korea S's cloud computing market scale to expand current 4 times to.China has started to formulate the national strategical planning of cloud computing.In October, 2010, Ministry of Industry and Information and the Committee of Development and Reform combine and have issued " about the notice of carrying out the demonstration work of cloud computing service innovation pilot ", clearly in Beijing, Shanghai, Shenzhen, Hangzhou, 5 of Wuxis cities carries out cloud computing pilot.In State Council's " about decision of accelerating cultivation and development strategy new industry ", explicitly point out: greatly develop strategic new industries such as comprising energy-conserving and environment-protective, generation information technology, biology, high-end equipment manufacture, new forms of energy, new material and new-energy automobile.Cloud computing just belongs to the wherein category of generation information technology.

Along with the development of cloud computing technology, the safety problem in cloud computing more and more receives the concern of industrial circle and academia.Security expert generally believes that cloud computing technology is also very immature, and information security issue has had a strong impact on the paces of disposing cloud computing service.Gartner organized once and pointed out: although cloud computing has very wide application prospect and huge commercial value, but, for the user who uses this service, they should be appreciated that cloud computing service exists the access of superuser, the property examined, Data Position, data isolation, data recovery, investigation support and the large potential security risk of long term survival seven [3].In fact,, in these security risks, some risks occur.For example, Google company reveals privacy of user event, and the service disruption event of Amazon EC2, Google Apps, Windows Azure.The cloud computing service survey report demonstration of issuing according to IDC, service safe, stability and performance performance are the three large market challenges [4] that cloud computing service faces.

Information security concerns national politics, economy and the various aspects such as cultural.China explicitly points out the critical role of information security technology in " 2006-2020 national information development strategy ", and will significantly improve the strategic objective of national information safety guarantee level as the year two thousand twenty China Informatization Development.Cloud computing technology, as a kind of emerging computation model that promotes scientific and technological progress and social development, has become focus and the commanding elevation of international competition, becomes one of important indicator of weighing a national overall national strength and competence in research.Realize secure cloud calculating and not only can promote China's politics, economy, science and technology and national security construction, and along with the development of cloud computing technology, this technology there is very important meaning for strengthening china's overall national strength and sci-tech innovation ability.

Therefore, be necessary to design the higher data processing method for cloud computing of a kind of fail safe and system.

Summary of the invention

Technical problem to be solved by this invention is to provide a kind of clean room cloud computing data processing method and system, and this clean room cloud computing data processing method and system have advantages of safe.

The technical solution of invention is as follows:

A kind of clean room cloud computing data processing method, take clean room cloud computing model as framework;

Described clean room cloud computing model is by credible virtual monitor unit (Trusted Virtual Machine Monitor, TVMM), trusted node manager (Trusted Node Manager, TNM) and trusted node (Trusted Node, TN) form;

Wherein, credible virtual monitor unit is that TVMM is the software [realization of TVMM is with reference to clean room state security framework constructing technology] between hardware platform and user virtual machine, and is positioned in secure border, is responsible for the operation of monitoring virtual machine; [virtual machine refers to the computer system with complete hardware system function of simulation, is that CSP offers user as service, concerning user, just looks like to use actual computer the same.】

Trusted node be TN for be positioned at secure border with, moved the node of creditable calculation modules (Trusted Platform Module, TPM);

Trusted node manager is that TNM is positioned at beyond secure border, is not subject to the control of CSP, can be both the software that user moves, and can be also the software that user entrusts trusted third party's operation;

TN registers to TNM, TNM safeguards a registration table, in order to management be positioned at secure border with all nodes, and by the trusted node set of the record management dynamic change in increase/delete list, thereby guarantee to only have trusted node can participate in deploying virtual machine and transition process, and guarantee the fail safe of whole deployment and transition process;

Based on the use agreement of user and CSP signing, user carries out concealed measurement [method of measurement is shown in clean room state security framework constructing technology] by credible virtual monitor unit to service execution environment; If the integrality of execution environment is destroyed, credible virtual monitor unit provides warning to user;

Described use agreement has determined that CSP provides the authority of service.

The situation of violating described use agreement comprises spies on, distorts and destroy service execution environment, is also user virtual machine.

Embed credible platform module (TPM) chip at the mainboard of trusted node, so that the root of trust of credible calculating to be provided; In TPM, there are a series of platform configuration register (Platform Configuration Register, PCR); PCR is the measurement root of trust program of TPM, monitor the input/input bus between (i.e. eavesdropping) external equipment and CPU I/O control centre by secret, obtain the measurement result of the software execution environment from external equipment to platform, and be recorded in volatile memory; User is by remote authentication mode, " challenge-reply " mechanism is obtained the measurement result in multiple PCR, and by the measurement list receiving and desired value comparison, thereby judge whether VMM is deployed on the Cloud Server that has embedded credible platform module, and judge the whether safety of start-up course of VMM;

In remote authentication process, obtain the true context environmental of VMM, comprise data and the code of VMM, and the integrality state of CPU; Authentication result is sent to remote authentication side safely, and is not tampered and fakes;

Having equipped in trusted node can Remote triggering system management interrupt (System Management Interrupt, SMI) frequency band outer channel (for example, IBM BladerCenter), utilize System Management Mode (System Management Model, SMM), IPMI (Intelligent Platform Management Interface, IPMI), and Baseboard Management Controller (Baseboard Management Controller, BMC), the dynamic integrality of the running of the mode of user by remote authentication to VMM is carried out hidden close detection, and guarantee that proof procedure is not interrupted or distorts, obtain true, credible, complete measurement result.

When the operation of TVMM, the detection of integrality is carried out by dynamic management device (Dynamic Management, DM); DM is by two module compositions: be arranged in the system management interrupt processor (System Management Random Access Memory, SMRAM) of system management random access memory and be positioned at TVMM integrity measurement agency; User utilizes based on IPMI and BMC frequency band outer channel, realizes the dynamic integrality of VMM running is detected in the mode of far call DM.

In remote authentication process:

1. realize concealed measurement: the SMI first being produced by BMC may be cancelled by the VMM of malice or re-route; If SMI is cancelled, remote entity cannot be received measurement result in finite time, thereby infer that SMI is cancelled by VMM malice; Secondly, VMM has the ability that triggers SMI, can call to conceal original SMI by puppet measurement and call; In order to distinguish by frequency band outer channel, calling with the puppet of VMM of SMI called, adopt a series of status registers that can not be distorted by software to store the type that SMI calls, and adopt universal input port routing table to record the interrupt type that each universal input port produces, guarantee to only have the universal input port being connected with BMC could trigger SMI;

2. guarantee the integrality of DM assembly: first, need to realize the credible startup of SMI processor, the credible measurement root of core (Core Root ofTrust Measurement from BIOS, CRTM) inspection of complete self-examination and executable code starts, until all component is all measured complete in start-up course; Secondly, need to guarantee that SMI processor is before calling measurement agent, first computation and measurement is acted on behalf of the cryptographic Hash of correlative code, with confirmatory measurement agency's integrality;

3. guarantee that proof procedure is not interrupted or distorts that [proof procedure Once you begin just not allows to be interrupted or to distort, and guarantees the continuity of proof procedure, that is to say and guarantees that this checking is initial that original checking of initiating always.]: in order to guarantee that proof procedure Once you begin just can not be interrupted or distort, once guarantee to measure in implementation, interruption or abnormal has occurred, stream is controlled in measurement will directly forward SMI processor to;

4. guarantee measurement environment information integrity: obtain complete, the real context environmental of VMM, comprise data and the code of VMM, in the time being interrupted by SMI, adopt rollback technology, by injecting an instruction that causes virtual machine unconditionally to exit, force CPU core to transfer to VMM from user virtual machine; Back off procedure is as follows: keep the value in all registers, and next instruction and address; Inject a privileged instruction and replace next instruction; Once an event is counted, Performance register is set for overflowing; Revise Advanced Programmable Interrupt Controllers APICs (Local Advanced Programmable Interrupt Controller, LAPIC) to such an extent as to Performance register overflows and causes SMI to interrupt;

Model adopts remote authentication mode to guarantee the authenticity of result: in system starting process, for platform produces a public/private keys pair, before pinning SMRAM, private key is left in SMRAM, and PKI is left in the static PCR of TPM; In order to obtain the result of measuring process, long-distance user sends a request and a random number is acted on behalf of to checking; Checking agency produces two different signature values by obtaining based on random number: first is static authentication output, by TPM private key signature; Second is the result of measuring, by the private key signature of SMI processor; By relatively sign can judged result authenticity.If [signature can be by the checking of PKI, shows that signature is legal effective, is also that measurement result is real.】

TNM safeguards a trusted node aggregate list, record be positioned at secure border with the public endorsement key of node, this node and the measurement list of expecting, and announce the endorsement key PKI of oneself, measurement list and the trusted key PKI of expectation; Between TNM and trusted node, carry out the credibility of mutual verification platform by the integrality of remote authentication confirmatory measurement list; In transition process, the credibility of source node request TNM checking destination node; If source node and destination node are all arranged in trusted node set, TNM allows two nodes directly to communicate; Between source node and destination node, consult a session key, encrypt the relevant information in virtual machine (vm) migration process; In order to guarantee integrality and the fail safe of virtual machine (vm) migration process, source node calculates the cryptographic Hash of virtual machine identity, and will after virtual machine identity and cryptographic Hash encryption, pass to destination node;

Concrete credible virtual machine transition process is as follows:

1) N _srequest TNM checking N _dcredibility: N _sfirst select a challenge of initiating to TNM

then utilize the private key of its trusted key

encrypted challenge and N _didentity

finally by produce ciphertext and

with the PKI of the trusted key of TNM

encrypt, and the result of generation is sent to TNM;

2) credibility of TNM checking source node and destination node: first, TNM utilizes the private key of its trusted key

decrypt, and checking N _sidentity whether be arranged in trusted node set; If N _sbe trusted node, utilize N _sthe PKI of trusted key

deciphering

and challenge, and checking N _didentity whether be arranged in trusted node set; If N _dbe trusted node, utilize the PKI of anxious trusted key

encrypted challenge and N _dthe PKI of trusted key

finally, again encrypt the ciphertext of generation with the private key of its trusted key, and result is returned to N _s;

3) N _swith N _dbetween consult a session key SK, to guarantee the state confidentiality in VM transition process, N _safter decrypt, can obtain N _dthe PKI of trusted key

n _sfirst select a session key SK, and to N _dinitiate a challenge

then, utilize the private key of its trusted key

encrypt SK and

finally, utilize N _dthe PKI of trusted key

encrypt the identity of oneself and the ciphertext of generation, and result is sent to N _d;

4) before the key that accepts session, N _dfirst verify N _swhether credible; N _dfirst utilize the private key of its trusted key

decrypt N _sidentity

then, N _dinitiate a challenge to TNM

and utilize the private key of its trusted key

encrypted challenge and finally utilize TNM trusted key public key encryption produce ciphertext and

and result is sent to TNM;

5) TNM decrypts N _sand N _didentity, verify whether both are trusted node; If so, first utilize N _dthe private key of trusted key

encrypted challenge and N _sthe PKI of trusted key

finally, with its trusted key private key encrypt the ciphertext generating, and the result of generation is returned to N _d;

6) if mutually authenticated N _dthe reply key SK that accepts session, and utilize SK encrypted challenge

after, send to N _s;

7) in order to guarantee integrality and the confidentiality of virtual machine (vm) migration process, N _scalculate the cryptographic Hash of virtual machine identity, and will after virtual machine identity and cryptographic Hash encryption, pass to N _d.

The virtual machine that TVMM operation is two types: user virtual machine and managing virtual machines; Managing virtual machines is responsible for memory space, the internal memory of configure user virtual machine, determines the strategy of employing, for user virtual machine provides high-level interface; For managing virtual machines provides a base interface, [base interface refers to the APl of software to TVMM, has encapsulated some functional modules of bottom, for calling on upper strata.] carry out these tasks, and initiate integrity measurement agency the integrality of user virtual machine is verified; Integrity measurement agency intercepts and captures all processes, comprises monitor service request, system call and hardware interrupts; System call, before handing to operating system of user kernel, can first be trapped in TVMM; Now, integrity measurement agency intercepts and captures all system calls that user virtual machine is initiated, and detects context environmental and the input parameter intercepted and captured;

Clean room state in real time monitoring relates to three processes: integrity measurement result and the protection user memory of initiatively monitoring, obtain Semantic Aware;

1) initiatively monitoring makes credible VMM can keep the up-to-date view of user virtual machine memory mapping; Once memory mapping changes,, in the time that user virtual machine creates, stops or revises consumer process or kernel module, TVMM can intercept and capture dependent event, and again initiates integrity checking; Comprise: 1. intercept and capture key user's event: in order to detect context environmental and the input of user virtual machine initiated event, once event is trapped in TVMM, integrity measurement agency checks register, software stack, the software heap of user virtual machine at once; The information detecting comprises: the instruction of event type, event argument, working procedure and stack pointer; Once kernel completes event handling, integrity measurement agency will force it to be again absorbed in TVMM; For interrupting with abnormal, the event return address being stored in kernel is become an illegal address by TVMM; Once event is returned to illegal address, the protection fault of TVMM will be caused being absorbed in.2. interception system calls: adopt the system call interception in system call Interception Technology and the kernel reentry situation in the situation of many return addresses to force system call to be intercepted and captured by TVMM before being delivered to system kernel, and make TVMM intercept and capture the system call that all user virtual machine send, and the context environmental calling and input parameter, thereby realize initiatively monitoring completely;

Integrity measurement is acted on behalf of the process that intercepting system calls: 1. process a initiates a system call; Integrity measurement agency preserves desired data, and debug registers is set; 2. kernel suspends the thread moving, calling process b; Before context switch occurs, to carry out and be trapped in TVMM, integrity measurement is acted on behalf of reset debug registers; 3. process b initiates a system call; Integrity measurement agency creates new one in list, and utilizes new value that debug registers is set; 4. kernel completes the system call of process b, and a debugger is absorbed in TVMM by instruction extremely.Before TVMM returns results to calling process, integrity measurement has been acted on behalf of the process that it is detected; 5. kernel continues calling of process a; Integrity measurement agency is known context switch, and recovers the value of the debug registers keeping; 6. called, integrity measurement agency starts to measure the storage area as calling result; 7. after load page, a protection exception occurs; This process is continued until that all pages are all loaded; 8. integrity measurement agency measures region of memory, recovers original kernel output, and returns to consumer process;

2) measurement result of obtaining complete and Semantic Aware requires operating system nucleus before working procedure, to load complete program, and is verified at once the integrality of whole program by credible VMM; Interception related system calls, and forces kernel before working procedure, to load complete routine, to guarantee to obtain complete metrical information; In the time that program code and primary data piecemeal are loaded into internal memory, the continuous hash function value that requires integrity measurement agency to calculate at once whole program is determined its integrality;

3) user memory protection: in order to guarantee only to carry out the user program of measured mistake, perfect measurement agency utilizes NX-bit page protection identification technology, once make the page from being there is protective emblem carry out instruction, will cause one to be trapped in the abnormal of TVMM; TVMM is absorbed in the renewal of all User Page tables, tests the address whether it mates the page carried out of any program association that has completed measurement, thus the information integrity that checking is obtained from user's kernel; Be modified for fear of all programs of having measured, integrity measurement agency be all designated the page carried out of all measurements and can not write; Measured the page once assailant attempts to revise, one will produce, and process is trapped in to TVMM extremely; In addition, executable operations and the write operation of a page of restriction can not occur simultaneously.

A kind of clean room cloud computing data handling system, is made up of credible virtual monitor unit TVMM, trusted node manager TNM and trusted node TN;

Wherein, credible virtual monitor unit is that TVMM is the software between hardware platform and user virtual machine, and is positioned in secure border, is responsible for the operation of monitoring virtual machine;

Trusted node be TN be positioned at secure border with, moved the node of creditable calculation modules TPM;

Based on the use agreement of user and CSP signing, user carries out concealed measurement by credible virtual monitor unit to service execution environment; If the integrality of execution environment is destroyed, credible virtual monitor unit provides warning to user; Described use agreement has determined that CSP provides the authority of service;

Described clean room cloud computing data handling system is according to the processing of aforesaid clean room cloud computing data processing method implementation data.

The present invention is conceived to the fail safe of data and running environment, not management method.

The assailant in cloud service environment is divided into two types by the present invention: external attacker and the person of internaling attack.Wherein, external attacker is the people that some security protections layer by layer that must break through CSP can be obtained some useful information, and the person of internaling attack is the people that can obtain easily some useful data in " cloud ", for example, and CSP itself.CSP is considered as potential attacker by the present invention, and how research prevents internaling attack of cloud computing system effectively.Existing research work is mainly the entity that CSP is considered as to " honest and curious ", be that CSP will (for example normally carry out user's operational order, can maliciously not distort result of calculation), but for example, to user data very curious (, can spy on user's sensitive data).CSP not only can spy on user's data, and can carry out honestly user's operational order, and for example, malice abandons the long-term no data of user.This security model can effectively prevent that CSP from spying on user's data, and can effectively prevent that CSP from carrying out user's operational order dishonestly.

Target of the present invention is in cloud computing environment, to guarantee in all directions the fail safe of user data processing procedure and storing process, and forms a set of complete theoretical system.This design philosophy is similar to the thought of " zero-fault " in " cleanroom software engineering " or " approaching zero-fault " software development.Therefore, we propose the brand new ideas of " clean room cloud computing (Cleanroom Cloud Computing is called for short CCC) ", wish to realize by current advanced person's technology the cloud computing service of " zero-fault " or " approaching zero-fault ".As shown in Figure 1, clean room cloud computing theory is divided into calculating execution environment " service state " and " clean room state ".User signs security service agreement (Secure Service Agreement, SSA) with CSP as required.Before SSA comes into force, execution environment is in " service state ", and now CSP is sovereign power entity, is in charge of and controls all infrastructure, platform, resource and service.Once SSA comes into force, execution environment enters " clean room state ", and all rights are handed to user by CSP, and now user becomes sovereign power entity, and is in charge of and controls the every resource and the service that are stipulated by SSA.The present invention analogizes to cloud computing service in " room " of taxi, and CSP analogizes to " landlord ", and user analogizes to " lessee ".Within the lease term of validity (i.e. " clean room state "), lessee becomes " owner in room ", can add one " lock " for room.Build clean room cloud computing environment and namely guarantee that anyone (even landlord) except " owner in room " cannot spy on its privacy and destroy user's living environment, fundamentally ensures the safety of " owner in room ".Although landlord (CSP) may need to carry out necessary furniture and electric appliances service, adds, discard, but need to guarantee that any operation that landlord (CSP) carries out do not violate SSA agreement, once or make the behavior of violating SSA and will provide alarm to " owner in room " at once.

Model

Clean room cloud computing model is by credible virtual monitor unit (Trusted Virtual Machine Monitor, TVMM), trusted node manager (Trusted Node Manager, TNM) and trusted node (Trusted Node) form, as shown in Figure 2.Wherein, TVMM is the software between hardware platform and user virtual machine, and is positioned in secure border, the main operation of being responsible for monitoring virtual machine; TN for be positioned at secure border with, moved the node of creditable calculation modules (Trusted Platform Module, TPM); TNM is positioned at beyond secure border, is not subject to the control of CSP, can be both the software that user moves, and can be also the software that user entrusts trusted third party's operation.TN registers to TNM, TNM safeguards a registration table, in order to management be positioned at secure border with all nodes, and by the trusted node set of the record management dynamic change in increase/delete list, thereby guarantee to only have trusted node can participate in deploying virtual machine and transition process, and guarantee the fail safe of whole deployment and transition process.

The basic ideas that clean room cloud computing model solves comprehensive clean room computing environment are: first, realize TVMM in conjunction with reliable computing technology and Intel Virtualization Technology; Then, cooperate with TNM by TVMM, on the one hand, the execution of virtual machine is limited in TN; On the other hand, in the time that virtual machine moves in network (comprise initiate virtual machine and two kinds of situations of virtual machine (vm) migration), the state of protection virtual machine is not monitored and revise; Finally, credible while utilizing integrity verification in TVMM agency to guarantee virtual machine operation.

Clean room state security framework constructing technology

Build in order to realize clean room state security framework, need to guarantee the fail safe of following three processes: monitor of virtual machine (Virtual Machine Monitor, the fail safe of the VMM) fail safe of deployment, VMM start-up course and the fail safe of VMM running, thus realize TVMM.In order to guarantee that VMM disposes and the fail safe of start-up course, this project hypothesis node mainboard has embedded credible platform module (TPM) chip, so that the root of trust of credible calculating to be provided.In TPM, there are a series of platform configuration register (Platform Configuration Register, PCR).PCR is the measurement root of trust program of TPM, by the input/input bus between " eavesdropping " external equipment and CPU I/O control centre, obtain the measurement result of the software execution environment from external equipment to platform, and be recorded in volatile memory.User is by remote authentication mode, " challenge-reply " mechanism is obtained the measurement result in multiple PCR, and by the measurement list receiving and desired value comparison, thereby judge whether VMM is deployed on the Cloud Server that has embedded credible platform module, and judge the whether safety of start-up course of VMM.

The fail safe when difficult point that clean room state security framework builds is how to guarantee VMM operation.Existing method is that integrality and credibility when VMM is moved by the mode of remote authentication measured.Because VMM is the software that priority level is the highest, therefore, the VMM of malice may tackle remote authentication, thereby before checking is carried out, removes and attack vestige, or distort real the result.Therefore, remote authentication process must guarantee: 1. measure reconditely.The measurement of VMM need to hiddenly thickly be carried out, in order to avoid VMM finds the execution of measuring and removes any vestige.2. the atomicity of proof procedure.Proof procedure Once you begin just can not be interrupted or distort.3. measurement environment information integrity.Obtain the true context environmental of VMM, comprise data and the code of VMM, and the integrality state of CPU.4. the authenticity of measurement result.Authentication result is sent to remote authentication side safely, must not be tampered, fake.

The present invention supposes that node has been equipped can Remote triggering system management interrupt (SystemManagementInterrupt, SMI) frequency band outer channel (for example, IBM BladerCenter), utilize System Management Mode (System Management Model, SMM), IPMI (Intelligent Platform Management Interface, IPMI), and Baseboard Management Controller (Baseboard Management Controller, BMC), the dynamic integrality of the running of the mode of user by remote authentication to VMM is carried out " hidden close " and " atom " and is detected (" atom " detect refer to guarantee that proof procedure is not interrupted or distorts), obtain true, credible, complete measurement result.

When the operation of TVMM, the detection of integrality is carried out by dynamic management device (Dynamic Management, DM).DM is by two module compositions: be arranged in the system management interrupt processor (System Management Random Access Memory, SMRAM) of system management random access memory and be positioned at TVMM integrity measurement agency.User utilizes based on IPMI and BMC frequency band outer channel, realizes the dynamic integrality of VMM running is detected in the mode of far call DM.Remote authentication process as shown in Figure 3.

The demand for security of remote authentication process is as follows:

1. realize concealed measurement.The measurement of VMM need to hiddenly thickly be carried out, in order to avoid VMM finds the execution of measuring and removes " any vestige ".Realize hidden close measurement and face following two main challenges: first, the SMI being produced by BMC may be cancelled by the VMM of malice or re-route.Therefore, need to prevent that SMI from being revised by VMM.This problem can be solved by remote authentication process: if SMI is cancelled, remote entity cannot be received measurement result in finite time, thereby infers that SMI is cancelled by VMM malice.Secondly, VMM has the ability that triggers SMI, can call to conceal original SMI by puppet measurement and call, and removes " attack vestige ".Therefore, in order to distinguish by frequency band outer channel, calling with the puppet of VMM of SMI called, this project adopts a series of status registers that can not be distorted by software (comprising VMM) to store the type that SMI calls, and adopt universal input port routing table to record the interrupt type that each universal input port produces, guarantee to only have the universal input port being connected with BMC could trigger SMI.

2. guarantee the integrality of DM assembly.Because measurement agent is arranged in VMM, therefore, before measuring execution, need to guarantee the integrality of measurement agent.First, need to realize the credible startup (as shown in Figure 4) of SMI processor, the credible measurement root of core (Core Root ofTrust Measurement from BIOS, CRTM) inspection of complete self-examination and executable code starts, until all component is all measured complete in start-up course.Secondly, need to guarantee that SMI processor is before calling measurement agent, first computation and measurement is acted on behalf of the cryptographic Hash of correlative code, with confirmatory measurement agency's integrality.

3. guarantee that proof procedure Once you begin just does not allow to be interrupted or to distort, guarantee the continuity of proof procedure, that is to say and guarantee that this checking is initial that original checking of initiating always.In order to guarantee that proof procedure Once you begin just can not be interrupted or distort, there is interruption or abnormal once adopt correlation technique assurance to measure in implementation, measure control stream and will directly forward SMI processor to.

4. guarantee measurement environment information integrity.Obtain complete, the real context environmental of VMM, comprise data and the code of VMM, in the time being interrupted by SMI, CPU may be in VMM/ root operator scheme, also may be in user virtual machine/non-operator scheme.Only, when CPU operates under root operator scheme, measurement agent can obtain complete metrical information by interrupts of CPU; And in the time that CPU operates in non-operator scheme, measurement agent cannot obtain any metrical information.Therefore, project adopts rollback technology, by injecting an instruction that causes virtual machine unconditionally to exit, forces CPU core to transfer to VMM from user virtual machine.Whole process VMM can not discover, also uncontrollable.Back off procedure is as follows: keep the value in all registers, and next instruction and address; Inject a privileged instruction and replace next instruction; Once an event is counted, Performance register is set for overflowing; Revise Advanced Programmable Interrupt Controllers APICs (Local Advanced Programmable Interrupt Controller, LAPIC) to such an extent as to Performance register overflows and causes SMI to interrupt.

5. guarantee measurement result authenticity.Authentication result is sent to remote authentication side safely, must not be tampered, fake.

As shown in Figure 5, model adopts remote authentication mode to guarantee the authenticity of result.In system starting process, for platform produces a public/private keys pair, before pinning SMRAM, private key is left in SMRAM, and PKI is left in the static PCR of TPM.In order to obtain the result of measuring process, long-distance user sends a request and a random number is acted on behalf of to checking.Checking agency produces two different signature values by obtaining based on random number: first is static authentication output, by TPM private key signature; Second is the result of measuring, by the private key signature of SMI processor.By relatively sign can judged result authenticity.

Clean room state safety transfer technology

In order to realize the safety transfer of virtual machine, need to guarantee: 1. deploying virtual machine is in a trusted node.2. the fail safe of virtual machine moving process between user side and trusted node.3. in virtual machine (vm) migration process, guarantee the fail safe of virtual machine moving process between trusted node.In whole transition process, CSP cannot monitor or destroy initial condition and the executing state of virtual machine.

TNM safeguards a trusted node aggregate list, record be positioned at secure border with the public endorsement key of node, this node and the measurement list of expecting, and announce the endorsement key PKI of oneself, measurement list and the trusted key PKI of expectation.Between TNM and trusted node, carry out the credibility of mutual verification platform by the integrality of remote authentication confirmatory measurement list.In order to realize the fail safe of virtual machine executing state transition process between node, first need to guarantee that source node and destination node are all trusted node, secondly need to guarantee that virtual machine state is safe in transition process.Therefore, in transition process, the credibility of source node request TNM checking destination node.If source node and destination node are all arranged in trusted node set, TNM allows two nodes directly communicate.Between source node and destination node, consult a session key, encrypt the relevant information in virtual machine (vm) migration process.In order to guarantee integrality and the fail safe of virtual machine (vm) migration process, source node calculates the cryptographic Hash of virtual machine identity, and will after virtual machine identity and cryptographic Hash encryption, pass to destination node.

Virtual machine (vm) migration process as shown in Figure 6.In order to realize the fail safe of virtual machine executing state transition process between node, first need to guarantee source node N _swith destination node N _dbe all trusted node, secondly need to guarantee that virtual machine state is safe in transition process.

1) N _srequest TNM checking N _dcredibility.N _sfirst select a challenge of initiating to TNM

then utilize the private key of its trusted key

encrypted challenge and N _didentity

finally by produce ciphertext and

with the PKI of the trusted key of TNM

encrypt, and the result of generation is sent to TNM.

2) credibility of TNM checking source node and destination node.First, TNM utilizes the private key of its trusted key decrypt, and checking N _sidentity whether be arranged in trusted node set.If N _sbe trusted node, utilize N _sthe PKI of trusted key

deciphering

and challenge, and checking N _didentity whether be arranged in trusted node set.If N _dbe trusted node, utilize N _sthe PKI of trusted key

encrypted challenge and N _dthe PKI of trusted key

finally, again encrypt the ciphertext of generation with the private key of its trusted key, and result is returned to N _s.

3) N _swith N _dbetween consult a session key SK, to guarantee the state confidentiality in VM transition process.N _safter decrypt, can obtain N _dthe PKI of trusted key

n _sfirst select a session key SK, and to N _dinitiate a challenge

then, utilize the private key of its trusted key encrypt SK and

finally, utilize N _dthe PKI of trusted key encrypt the identity of oneself and the ciphertext of generation, and result is sent to N _d.

4) before the key that accepts session, N _dfirst verify N _swhether credible.N _dfirst utilize the private key of its trusted key

decrypt N _sidentity

then, N _dinitiate a challenge to TNM

and utilize the private key of its trusted key

encrypted challenge and

finally utilize TNM trusted key public key encryption produce ciphertext and

and result is sent to TNM.

5) TNM decrypts N _sand N _didentity, verify whether both are trusted node.If so, first utilize N _dthe private key of trusted key

encrypted challenge and N _sthe PKI of trusted key

finally, with its trusted key private key

encrypt the ciphertext generating, and the result of generation is returned to N _d.

after, send to N _s.

Clean room state Real-time Monitor Technique

The virtual machine that TVMM operation is two types: user virtual machine and managing virtual machines.Managing virtual machines is responsible for memory space, the internal memory of configure user virtual machine, determines the strategy of employing, for user virtual machine provides high-level interface.TVMM carries out these tasks for managing virtual machines provides a base interface, and initiates integrity measurement agency the integrality of user virtual machine is verified.Integrity measurement agency intercepts and captures all processes, comprises monitor service request, system call and hardware interrupts.System call, before handing to operating system of user kernel, can first be trapped in TVMM.Now, integrity measurement agency intercepts and captures all system calls that user virtual machine is initiated, and detects context environmental and the input parameter intercepted and captured.

Clean room state in real time monitoring relates to three processes: integrity measurement result and the protection user memory of initiatively monitoring, obtain Semantic Aware.

1) initiatively monitoring (interception comprises system call, interruption and abnormal) makes credible VMM can keep the up-to-date view of user virtual machine memory mapping.Once memory mapping changes,, in the time that user virtual machine creates, stops or revises consumer process or kernel module, TVMM can intercept and capture dependent event, and again initiates integrity checking.Mainly comprise: 1. intercept and capture key user's event.In order to detect context environmental and the input of user virtual machine initiated event, once event is trapped in TVMM, integrity measurement agency checks register, software stack, the software heap of user virtual machine at once.The information detecting comprises: the instruction of event type, event argument, working procedure and stack pointer.Once kernel completes event handling, integrity measurement agency will force it to be again absorbed in TVMM.For interrupting with abnormal, the event return address being stored in kernel is become an illegal address by TVMM.Once event is returned to illegal address, the protection fault of TVMM will be caused being absorbed in.2. interception system calls.Simply utilize rewriting system call return address technology effectively intercepting system call because system call has multiple return addresses conventionally, and there is kernel reentry situation.For both of these case, can adopt the system call interception in system call Interception Technology and the kernel reentry situation in the situation of many return addresses to force system call to be intercepted and captured by TVMM before being delivered to system kernel, and make TVMM intercept and capture the system call that all user virtual machine send, and the context environmental calling and input parameter, thereby realize initiatively monitoring completely.

Integrity measurement is acted on behalf of process that intercepting system calls as shown in Figure 7.1. process a initiates a system call.Integrity measurement agency preserves desired data, and debug registers is set.2. kernel suspends the thread moving, calling process b.Before context switch occurs, to carry out and be trapped in TVMM, integrity measurement is acted on behalf of reset debug registers.3. process b initiates a system call.Integrity measurement agency creates new one in list, and utilizes new value that debug registers is set.4. kernel completes the system call of process b, and a debugger is absorbed in TVMM by instruction extremely.Before TVMM returns results to calling process, integrity measurement has been acted on behalf of the process that it is detected.5. kernel continues calling of process a.Integrity measurement agency is known context switch, and recovers the value of the debug registers keeping.6. called, integrity measurement agency starts to measure the storage area as calling result.7. after load page, a protection exception occurs.This process is continued until that all pages are all loaded.8. integrity measurement agency measures region of memory, recovers original kernel output, and returns to consumer process.

2) measurement result of obtaining complete and Semantic Aware requires operating system nucleus before working procedure, to load complete program, and is verified at once the integrality of whole program by credible VMM.Therefore, 1. need to tackle related system and call, and force kernel before working procedure, to load complete routine, to guarantee to obtain complete metrical information; 2. in the time that program code and primary data piecemeal are loaded into internal memory, the continuous hash function value that requires integrity measurement agency to calculate at once whole program is determined its integrality.

3) user memory protection requires: 1. user virtual machine can only be carried out the user program of measured mistake.2. user can find any illegal modifications to the user program of measuring.In order to guarantee only to carry out the user program of measured mistake, perfect measurement agency utilizes NX-bit page protection identification technology, once make the page from being had protective emblem carry out instruction, will cause one to be trapped in the abnormal of TVMM.TVMM is absorbed in the renewal of all User Page tables, tests the address whether it mates the page carried out of any program association that has completed measurement, thus the information integrity that checking is obtained from user's kernel.Be modified for fear of all programs of having measured, integrity measurement agency be all designated the page carried out of all measurements and can not write.Measured the page once assailant attempts to revise, one will produce, and process is trapped in to TVMM extremely.In addition, executable operations and the write operation of a page of restriction can not occur simultaneously.

Beneficial effect:

Clean room cloud computing data processing method of the present invention and system, take clean room cloud computing model as framework, take clean room state security framework constructing technology, clean room state safety transfer technology and clean room state Real-time Monitor Technique as technological means; Described clean room cloud computing model is made up of credible virtual monitor unit (TVMM), trusted node manager (TNM) and trusted node (TN); Realize believable monitor of virtual machine by clean room state security framework constructing technology, ensure that monitor of virtual machine is disposed, the fail safe of start-up and operation process; Realize the deployment of virtual machine in trusted node by clean room state safety transfer technology, ensure the fail safe of virtual machine (vm) migration process; By clean room state Real-time Monitor Technique, the dynamic integrality while realizing virtual machine operation; Based on the use agreement of user and cloud service provider (CSP) signing, user carries out concealed measurement by credible virtual monitor unit to service execution environment, thereby service execution environmental limitations, in safe border, is realized to the safety isolation/virtual locking mechanisms of clean room state; If the integrality of execution environment is destroyed, credible virtual monitor unit provides warning to user; Described use agreement is relevant expense mode and the restricted responsibility content with usage platform service of signing between user and CSP.This clean room cloud computing data processing method and system have advantages of safe.

Clean room cloud computing theory has comprised cloud service " service state " and " clean room state " these two brand-new scientific concepts, and Intel Virtualization Technology and reliable computing technology are organically combined, and realizes the safety isolation/virtual locking mechanisms under clean room state.First, realize TVMM in conjunction with reliable computing technology and Intel Virtualization Technology; Then, cooperate with TNM by TVMM, on the one hand, the execution of virtual machine is limited in trusted node; On the other hand, in the time that virtual machine moves in network (comprise initiate virtual machine and two kinds of situations of virtual machine (vm) migration), the state of protection virtual machine is not monitored and revise; Finally, credible while utilizing integrity verification in TVMM agency to guarantee virtual machine operation.

At present, be the important research direction that realizes secure cloud calculation services in conjunction with reliable computing technology and Intel Virtualization Technology.On the one hand, utilize isolation mech isolation test that Intel Virtualization Technology provides by entity running space separately, by the behavior of monitoring mechanism dynamic measurement entity, find and get rid of unexpected phase mutual interference.On the other hand, ensure the dynamic integrality of virtual machine by credible tolerance mechanism, realize the credible intercommunication of different virtual environment by credible report mechanism, realize Data Migration, storage and access control by trusted storage mechanism.But, current work endeavour chamber in the safety of cloud service that realizes specific level, cannot arrive the comprehensively clean target of cloud service.Facing cloud calculation services environment of the present invention, use for reference the thought of exploitation " zero-fault " or " approaching zero-fault " software in " cleanroom software engineering ", combined with virtual technology and reliable computing technology, build from clean room state security framework, to VMM deployment, operation and VM migration and operation, realize the clean room cloud computing service environment of the safety isolation/virtual locking mechanisms under clean room state.

Clean room cloud computing data processing method of the present invention and system, be conducive to make full use of the advantage such as cloud computing is ultra-large, virtual, when user brings efficient, extendible on-demand service, farthest ensures user's data security and privacy; Make full use of that computing technique fast development, computational resource are become stronger day by day, rich and varied the brought new demand of application mode and the new opportunity that provides, analyze the great change in the cloud computing security strategy of bringing therefrom, towards novel computing environment, preemption techniques commanding elevation in the new situation, strengthen self competitiveness, make China's information industry in the new century, step into world's rank of advanced units, meet the great demand of China's strategic development, for China is information-based and industrialized fusion and development power-assisted, for the enterprise that uses cloud computing technology brings great economic benefit.

The hierarchical system structure of facing cloud calculation services of the present invention, build one dynamic, autonomous with believable clean room computational resource pond as basis, realize the conversion between " service state " and " clean room state ", guarantee fail safe, reliability and the integrality of data handling procedure, to meet, large-scale data walks abreast and the reliability requirement of distributed treatment, progressively set up clean room cloud computing theory system of new generation, for the technological innovation of the new application of cloud computing provides basic theory support.

The clean room cloud computing theory that the present invention proposes is to guarantee that cloud computing service key feature is as prerequisite, by farthest guaranteeing the safety of user data processing procedure, promote cloud computing technology can really be dissolved into as a kind of emerging computation model in the middle of the production and life of human society, just convenient and practical and safe and reliable as people use running water, electricity, coal gas, thus larger economic benefit and social benefit brought.

Accompanying drawing explanation

Fig. 1. in clean room cloud computing, serve the conversion schematic diagram between state and clean room state;

Fig. 2. clean room cloud computing model schematic diagram;

Fig. 3. the process schematic diagram of Dynamic Execution environment remote authentication;

Fig. 4 .SMI is credible start-up course schematic diagram;

Fig. 5. remote authentication TVMM process schematic diagram;

The process schematic diagram that Fig. 6 .VM moves between trusted node;

Fig. 7. integrity measurement is acted on behalf of the process schematic diagram that intercepting system calls;

Embodiment

Below with reference to the drawings and specific embodiments, the present invention is described in further details:

Embodiment 1:

Described clean room cloud computing model is made up of credible virtual monitor unit TVMM, trusted node manager TNM and trusted node TN;

Based on the use agreement of user and CSP signing, user carries out concealed measurement by credible virtual monitor unit to service execution environment; If the integrality of execution environment is destroyed, credible virtual monitor unit provides warning to user;

Embed credible platform module (TPM) chip at the mainboard of trusted node, so that the root of trust of credible calculating to be provided; In TPM, there are a series of platform configuration register (Platform Configuration Register, PCR); PCR is the measurement root of trust program of TPM, monitor the input/input bus between external equipment and CPU I/O control centre by secret, obtain the measurement result of the software execution environment from external equipment to platform, and be recorded in volatile memory; User is by remote authentication mode, " challenge-reply " mechanism is obtained the measurement result in multiple PCR, and by the measurement list receiving and desired value comparison, thereby judge whether VMM is deployed on the Cloud Server that has embedded credible platform module, and judge the whether safety of start-up course of VMM;

In remote authentication process:

3. guarantee that proof procedure is not interrupted or distorts: in order to guarantee that proof procedure Once you begin just can not be interrupted or distort, once guarantee to measure in implementation, interruption or abnormal has occurred, stream is controlled in measurement will directly forward SMI processor to;

Model adopts remote authentication mode to guarantee the authenticity of result: in system starting process, for platform produces a public/private keys pair, before pinning SMRAM, private key is left in SMRAM, and PKI is left in the static PCR of TPM; In order to obtain the result of measuring process, long-distance user sends a request and a random number is acted on behalf of to checking; Checking agency produces two different signature values by obtaining based on random number: first is static authentication output, by TPM private key signature; Second is the result of measuring, by the private key signature of SMI processor; By relatively sign can judged result authenticity.

Concrete credible virtual machine transition process is as follows:

then utilize the private key of its trusted key

encrypted challenge and N _didentity

finally by produce ciphertext and

with the PKI of the trusted key of TNM

encrypt, and the result of generation is sent to TNM;

deciphering

and challenge, and checking N _didentity whether be arranged in trusted node set; If N _dbe trusted node, utilize N _sthe PKI of trusted key

encrypted challenge and N _dthe PKI of trusted key

3) N _swith N _dbetween consult a session key SK, to guarantee the state confidentiality in VM transition process, N _safter decrypt, can obtain N _dthe PKI of trusted key n _sfirst select a session key SK, and to N _dinitiate a challenge

then, utilize the private key of its trusted key

encrypt SK and

finally, utilize N _dthe PKI of trusted key

decrypt N _sidentity

then, N _dinitiate a challenge to TNM

and utilize the private key of its trusted key encrypted challenge and finally utilize TNM trusted key public key encryption produce ciphertext and

and result is sent to TNM;

encrypted challenge and N _sthe PKI of trusted key

finally, with its trusted key private key

encrypt the ciphertext generating, and the result of generation is returned to N _d;

after, send to N _s;

The virtual machine that TVMM operation is two types: user virtual machine and managing virtual machines; Managing virtual machines is responsible for memory space, the internal memory of configure user virtual machine, determines the strategy of employing, for user virtual machine provides high-level interface; TVMM carries out these tasks for managing virtual machines provides a base interface, and initiates integrity measurement agency the integrality of user virtual machine is verified; Integrity measurement agency intercepts and captures all processes, comprises monitor service request, system call and hardware interrupts; System call, before handing to operating system of user kernel, can first be trapped in TVMM; Now, integrity measurement agency intercepts and captures all system calls that user virtual machine is initiated, and detects context environmental and the input parameter intercepted and captured;

Claims

1. a clean room cloud computing data processing method, is characterized in that, take clean room cloud computing model as framework;

2. clean room cloud computing data processing method according to claim 1, is characterized in that, the situation of violating described use agreement comprises spies on, distorts and destroy service execution environment, is also user virtual machine.

3. clean room cloud computing data processing method according to claim 2, is characterized in that, has embedded credible platform module chip at the mainboard of trusted node, so that the root of trust of credible calculating to be provided; In TPM, there are a series of platform configuration register, PCR; PCR is the measurement root of trust program of TPM, monitor the input/input bus between external equipment and CPU I/O control centre by secret, obtain the measurement result of the software execution environment from external equipment to platform, and be recorded in volatile memory; User is by remote authentication mode, " challenge-reply " mechanism is obtained the measurement result in multiple PCR, and by the measurement list receiving and desired value comparison, thereby judge whether VMM is deployed on the Cloud Server that has embedded credible platform module, and judge the whether safety of start-up course of VMM;

Trusted node equipped can Remote triggering system management interrupt frequency band outer channel, utilize System Management Mode, IPMI and Baseboard Management Controller, the dynamic integrality of the running of the mode of user by remote authentication to VMM is carried out hidden close detection, and guarantee that proof procedure is not interrupted or distorts, obtain true, credible, complete measurement result.

When the operation of TVMM, the detection of integrality is carried out by dynamic management device; DM is by two module compositions: be arranged in the system management interrupt processor of system management random access memory and be positioned at TVMM integrity measurement agency; User utilizes based on IPMI and BMC frequency band outer channel, realizes the dynamic integrality of VMM running is detected in the mode of far call DM.

In remote authentication process:

2. guarantee the integrality of DM assembly: first, need to realize the credible startup of SMI processor, the core complete self-examination of credible measurement root from BIOS and the inspection of executable code start, until all component is all measured complete in start-up course; Secondly, need to guarantee that SMI processor is before calling measurement agent, first computation and measurement is acted on behalf of the cryptographic Hash of correlative code, with confirmatory measurement agency's integrality;

4. guarantee measurement environment information integrity: obtain complete, the real context environmental of VMM, comprise data and the code of VMM, in the time being interrupted by SMI, adopt rollback technology, by injecting an instruction that causes virtual machine unconditionally to exit, force CPU core to transfer to VMM from user virtual machine; Back off procedure is as follows: keep the value in all registers, and next instruction and address; Inject a privileged instruction and replace next instruction; Once an event is counted, Performance register is set for overflowing; Revising Advanced Programmable Interrupt Controllers APICs to such an extent as to Performance register overflows and causes a SMI to interrupt;

4. clean room cloud computing data processing method according to claim 2, is characterized in that,

Concrete credible virtual machine transition process is as follows:

then utilize the private key of its trusted key

encrypted challenge and N _didentity

finally by produce ciphertext and

with the PKI of the trusted key of TNM

encrypt, and the result of generation is sent to TNM;

deciphering

encrypted challenge and N _dthe PKI of trusted key finally, again encrypt the ciphertext of generation with the private key of its trusted key, and result is returned to N _s;

n _sfirst select a session key SK, and to N _dinitiate a challenge

then, utilize the private key of its trusted key

encrypt SK and

finally, utilize N _dthe PKI of trusted key

decrypt N _sidentity then, N _dinitiate a challenge to TNM

and utilize the private key of its trusted key

encrypted challenge and

finally utilize TNM trusted key public key encryption produce ciphertext and

and result is sent to TNM;

encrypted challenge and N _sthe PKI of trusted key

finally, with its trusted key private key

after, send to N _s;

5. according to the clean room cloud computing data processing method described in claim 1-4 any one, it is characterized in that,

6. a clean room cloud computing data handling system, is characterized in that, is made up of credible virtual monitor unit TVMM, trusted node manager TNM and trusted node TN;

Described clean room cloud computing data handling system is according to clean room cloud computing data processing method implementation data claimed in claim 5 processing.