CN103841198A - Cleanroom cloud computing data processing method and system - Google Patents

Cleanroom cloud computing data processing method and system Download PDF

Info

Publication number
CN103841198A
CN103841198A CN201410083476.6A CN201410083476A CN103841198A CN 103841198 A CN103841198 A CN 103841198A CN 201410083476 A CN201410083476 A CN 201410083476A CN 103841198 A CN103841198 A CN 103841198A
Authority
CN
China
Prior art keywords
user
trusted
virtual machine
measurement
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410083476.6A
Other languages
Chinese (zh)
Other versions
CN103841198B (en
Inventor
王国军
刘琴
刘湘勇
齐芳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Central South University
Original Assignee
Central South University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Central South University filed Critical Central South University
Priority to CN201410083476.6A priority Critical patent/CN103841198B/en
Publication of CN103841198A publication Critical patent/CN103841198A/en
Application granted granted Critical
Publication of CN103841198B publication Critical patent/CN103841198B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a cleanroom cloud computing data processing method and system. According to the cleanroom cloud computing data processing method and system, a cleanroom cloud computing model serves as the framework, a cleanroom state security framework establishing technology, a cleanroom state security migration technology and a cleanroom state real-time monitoring technology serve as technological means, and the cleanroom cloud computing model is composed of a trusted virtual machine monitor (TVMM), a trusted node manager (TNM) and a trusted node (TN). When the integrity of an execution environment is destroyed, the trusted virtual machine monitor gives an alarm to a user. The cleanroom cloud computing data processing method and system have the advantage of being high in safety performance.

Description

A kind of clean room cloud computing data processing method and system
Technical field
The present invention relates to a kind of clean room cloud computing data processing method and system.
Background technology
Cloud computing technology is one of the most popular topic of computer realm in recent years, is becoming one of of paramount importance trend of following computing technique development.The internationally famous Gartner of science shop organizes the information of every annual meeting synthesise various to issue IT technology trends, and chooses the ten large key technologies that next three years merits attention most.This is organized in the report of up-to-date issue in 2014, and cloud computing technology remains one of ten great strategy technological trends.In addition, the research report of the up-to-date issue of the IDC of market research agency is produced and is claimed, cloud computing technology produces far-reaching influence to IT market, and it not only can be for supplier creates many new chances, and is promoting the variation of conventional I T industry generation essence.IDC prediction, cloud computing in 2014, by the consumption that drives 100,000,000,000 dollars, increased by 25% than 2013; And the underlying hardware construction such as China's cloud computing centers in 2014 can peak, cloud computing architecture market in general scale to 2015 year will exceed 2,000,000,000 dollars.
Cloud computing technology has now become one of guidance quality index of a national industry and information security.In September, 2009, U.S. government has announced a long-term cloud computing policy.The cloud computing deployment of government department, in " report of digital Britain " of within 2009, issuing, is appealed to strengthen by Britain.Korean government determines, before 2014, drops into huge fund to cloud computing field, strives for making Korea S's cloud computing market scale to expand current 4 times to.China has started to formulate the national strategical planning of cloud computing.In October, 2010, Ministry of Industry and Information and the Committee of Development and Reform combine and have issued " about the notice of carrying out the demonstration work of cloud computing service innovation pilot ", clearly in Beijing, Shanghai, Shenzhen, Hangzhou, 5 of Wuxis cities carries out cloud computing pilot.In State Council's " about decision of accelerating cultivation and development strategy new industry ", explicitly point out: greatly develop strategic new industries such as comprising energy-conserving and environment-protective, generation information technology, biology, high-end equipment manufacture, new forms of energy, new material and new-energy automobile.Cloud computing just belongs to the wherein category of generation information technology.
Along with the development of cloud computing technology, the safety problem in cloud computing more and more receives the concern of industrial circle and academia.Security expert generally believes that cloud computing technology is also very immature, and information security issue has had a strong impact on the paces of disposing cloud computing service.Gartner organized once and pointed out: although cloud computing has very wide application prospect and huge commercial value, but, for the user who uses this service, they should be appreciated that cloud computing service exists the access of superuser, the property examined, Data Position, data isolation, data recovery, investigation support and the large potential security risk of long term survival seven [3].In fact,, in these security risks, some risks occur.For example, Google company reveals privacy of user event, and the service disruption event of Amazon EC2, Google Apps, Windows Azure.The cloud computing service survey report demonstration of issuing according to IDC, service safe, stability and performance performance are the three large market challenges [4] that cloud computing service faces.
Information security concerns national politics, economy and the various aspects such as cultural.China explicitly points out the critical role of information security technology in " 2006-2020 national information development strategy ", and will significantly improve the strategic objective of national information safety guarantee level as the year two thousand twenty China Informatization Development.Cloud computing technology, as a kind of emerging computation model that promotes scientific and technological progress and social development, has become focus and the commanding elevation of international competition, becomes one of important indicator of weighing a national overall national strength and competence in research.Realize secure cloud calculating and not only can promote China's politics, economy, science and technology and national security construction, and along with the development of cloud computing technology, this technology there is very important meaning for strengthening china's overall national strength and sci-tech innovation ability.
Therefore, be necessary to design the higher data processing method for cloud computing of a kind of fail safe and system.
Summary of the invention
Technical problem to be solved by this invention is to provide a kind of clean room cloud computing data processing method and system, and this clean room cloud computing data processing method and system have advantages of safe.
The technical solution of invention is as follows:
A kind of clean room cloud computing data processing method, take clean room cloud computing model as framework;
Described clean room cloud computing model is by credible virtual monitor unit (Trusted Virtual Machine Monitor, TVMM), trusted node manager (Trusted Node Manager, TNM) and trusted node (Trusted Node, TN) form;
Wherein, credible virtual monitor unit is that TVMM is the software [realization of TVMM is with reference to clean room state security framework constructing technology] between hardware platform and user virtual machine, and is positioned in secure border, is responsible for the operation of monitoring virtual machine; [virtual machine refers to the computer system with complete hardware system function of simulation, is that CSP offers user as service, concerning user, just looks like to use actual computer the same.】
Trusted node be TN for be positioned at secure border with, moved the node of creditable calculation modules (Trusted Platform Module, TPM);
Trusted node manager is that TNM is positioned at beyond secure border, is not subject to the control of CSP, can be both the software that user moves, and can be also the software that user entrusts trusted third party's operation;
TN registers to TNM, TNM safeguards a registration table, in order to management be positioned at secure border with all nodes, and by the trusted node set of the record management dynamic change in increase/delete list, thereby guarantee to only have trusted node can participate in deploying virtual machine and transition process, and guarantee the fail safe of whole deployment and transition process;
Based on the use agreement of user and CSP signing, user carries out concealed measurement [method of measurement is shown in clean room state security framework constructing technology] by credible virtual monitor unit to service execution environment; If the integrality of execution environment is destroyed, credible virtual monitor unit provides warning to user;
Described use agreement has determined that CSP provides the authority of service.
The situation of violating described use agreement comprises spies on, distorts and destroy service execution environment, is also user virtual machine.
Embed credible platform module (TPM) chip at the mainboard of trusted node, so that the root of trust of credible calculating to be provided; In TPM, there are a series of platform configuration register (Platform Configuration Register, PCR); PCR is the measurement root of trust program of TPM, monitor the input/input bus between (i.e. eavesdropping) external equipment and CPU I/O control centre by secret, obtain the measurement result of the software execution environment from external equipment to platform, and be recorded in volatile memory; User is by remote authentication mode, " challenge-reply " mechanism is obtained the measurement result in multiple PCR, and by the measurement list receiving and desired value comparison, thereby judge whether VMM is deployed on the Cloud Server that has embedded credible platform module, and judge the whether safety of start-up course of VMM;
In remote authentication process, obtain the true context environmental of VMM, comprise data and the code of VMM, and the integrality state of CPU; Authentication result is sent to remote authentication side safely, and is not tampered and fakes;
Having equipped in trusted node can Remote triggering system management interrupt (System Management Interrupt, SMI) frequency band outer channel (for example, IBM BladerCenter), utilize System Management Mode (System Management Model, SMM), IPMI (Intelligent Platform Management Interface, IPMI), and Baseboard Management Controller (Baseboard Management Controller, BMC), the dynamic integrality of the running of the mode of user by remote authentication to VMM is carried out hidden close detection, and guarantee that proof procedure is not interrupted or distorts, obtain true, credible, complete measurement result.
When the operation of TVMM, the detection of integrality is carried out by dynamic management device (Dynamic Management, DM); DM is by two module compositions: be arranged in the system management interrupt processor (System Management Random Access Memory, SMRAM) of system management random access memory and be positioned at TVMM integrity measurement agency; User utilizes based on IPMI and BMC frequency band outer channel, realizes the dynamic integrality of VMM running is detected in the mode of far call DM.
In remote authentication process:
1. realize concealed measurement: the SMI first being produced by BMC may be cancelled by the VMM of malice or re-route; If SMI is cancelled, remote entity cannot be received measurement result in finite time, thereby infer that SMI is cancelled by VMM malice; Secondly, VMM has the ability that triggers SMI, can call to conceal original SMI by puppet measurement and call; In order to distinguish by frequency band outer channel, calling with the puppet of VMM of SMI called, adopt a series of status registers that can not be distorted by software to store the type that SMI calls, and adopt universal input port routing table to record the interrupt type that each universal input port produces, guarantee to only have the universal input port being connected with BMC could trigger SMI;
2. guarantee the integrality of DM assembly: first, need to realize the credible startup of SMI processor, the credible measurement root of core (Core Root ofTrust Measurement from BIOS, CRTM) inspection of complete self-examination and executable code starts, until all component is all measured complete in start-up course; Secondly, need to guarantee that SMI processor is before calling measurement agent, first computation and measurement is acted on behalf of the cryptographic Hash of correlative code, with confirmatory measurement agency's integrality;
3. guarantee that proof procedure is not interrupted or distorts that [proof procedure Once you begin just not allows to be interrupted or to distort, and guarantees the continuity of proof procedure, that is to say and guarantees that this checking is initial that original checking of initiating always.]: in order to guarantee that proof procedure Once you begin just can not be interrupted or distort, once guarantee to measure in implementation, interruption or abnormal has occurred, stream is controlled in measurement will directly forward SMI processor to;
4. guarantee measurement environment information integrity: obtain complete, the real context environmental of VMM, comprise data and the code of VMM, in the time being interrupted by SMI, adopt rollback technology, by injecting an instruction that causes virtual machine unconditionally to exit, force CPU core to transfer to VMM from user virtual machine; Back off procedure is as follows: keep the value in all registers, and next instruction and address; Inject a privileged instruction and replace next instruction; Once an event is counted, Performance register is set for overflowing; Revise Advanced Programmable Interrupt Controllers APICs (Local Advanced Programmable Interrupt Controller, LAPIC) to such an extent as to Performance register overflows and causes SMI to interrupt;
Model adopts remote authentication mode to guarantee the authenticity of result: in system starting process, for platform produces a public/private keys pair, before pinning SMRAM, private key is left in SMRAM, and PKI is left in the static PCR of TPM; In order to obtain the result of measuring process, long-distance user sends a request and a random number is acted on behalf of to checking; Checking agency produces two different signature values by obtaining based on random number: first is static authentication output, by TPM private key signature; Second is the result of measuring, by the private key signature of SMI processor; By relatively sign can judged result authenticity.If [signature can be by the checking of PKI, shows that signature is legal effective, is also that measurement result is real.】
TNM safeguards a trusted node aggregate list, record be positioned at secure border with the public endorsement key of node, this node and the measurement list of expecting, and announce the endorsement key PKI of oneself, measurement list and the trusted key PKI of expectation; Between TNM and trusted node, carry out the credibility of mutual verification platform by the integrality of remote authentication confirmatory measurement list; In transition process, the credibility of source node request TNM checking destination node; If source node and destination node are all arranged in trusted node set, TNM allows two nodes directly to communicate; Between source node and destination node, consult a session key, encrypt the relevant information in virtual machine (vm) migration process; In order to guarantee integrality and the fail safe of virtual machine (vm) migration process, source node calculates the cryptographic Hash of virtual machine identity, and will after virtual machine identity and cryptographic Hash encryption, pass to destination node;
Concrete credible virtual machine transition process is as follows:
1) N srequest TNM checking N dcredibility: N sfirst select a challenge of initiating to TNM
Figure BDA0000474278530000051
then utilize the private key of its trusted key
Figure BDA0000474278530000052
encrypted challenge and N didentity
Figure BDA0000474278530000053
finally by produce ciphertext and
Figure BDA0000474278530000054
with the PKI of the trusted key of TNM
Figure BDA0000474278530000055
encrypt, and the result of generation is sent to TNM;
2) credibility of TNM checking source node and destination node: first, TNM utilizes the private key of its trusted key
Figure BDA0000474278530000056
decrypt, and checking N sidentity whether be arranged in trusted node set; If N sbe trusted node, utilize N sthe PKI of trusted key
Figure BDA0000474278530000057
deciphering
Figure BDA0000474278530000058
and challenge, and checking N didentity whether be arranged in trusted node set; If N dbe trusted node, utilize the PKI of anxious trusted key
Figure BDA0000474278530000059
encrypted challenge and N dthe PKI of trusted key
Figure BDA00004742785300000510
finally, again encrypt the ciphertext of generation with the private key of its trusted key, and result is returned to N s;
3) N swith N dbetween consult a session key SK, to guarantee the state confidentiality in VM transition process, N safter decrypt, can obtain N dthe PKI of trusted key
Figure BDA0000474278530000061
n sfirst select a session key SK, and to N dinitiate a challenge
Figure BDA0000474278530000062
then, utilize the private key of its trusted key
Figure BDA0000474278530000063
encrypt SK and
Figure BDA0000474278530000064
finally, utilize N dthe PKI of trusted key
Figure BDA0000474278530000065
encrypt the identity of oneself and the ciphertext of generation, and result is sent to N d;
4) before the key that accepts session, N dfirst verify N swhether credible; N dfirst utilize the private key of its trusted key
Figure BDA0000474278530000066
decrypt N sidentity
Figure BDA0000474278530000067
then, N dinitiate a challenge to TNM
Figure BDA0000474278530000068
and utilize the private key of its trusted key
Figure BDA0000474278530000069
encrypted challenge and finally utilize TNM trusted key public key encryption produce ciphertext and
Figure BDA00004742785300000611
and result is sent to TNM;
5) TNM decrypts N sand N didentity, verify whether both are trusted node; If so, first utilize N dthe private key of trusted key
Figure BDA00004742785300000612
encrypted challenge and N sthe PKI of trusted key
Figure BDA00004742785300000613
finally, with its trusted key private key encrypt the ciphertext generating, and the result of generation is returned to N d;
6) if mutually authenticated N dthe reply key SK that accepts session, and utilize SK encrypted challenge
Figure BDA00004742785300000615
after, send to N s;
7) in order to guarantee integrality and the confidentiality of virtual machine (vm) migration process, N scalculate the cryptographic Hash of virtual machine identity, and will after virtual machine identity and cryptographic Hash encryption, pass to N d.
The virtual machine that TVMM operation is two types: user virtual machine and managing virtual machines; Managing virtual machines is responsible for memory space, the internal memory of configure user virtual machine, determines the strategy of employing, for user virtual machine provides high-level interface; For managing virtual machines provides a base interface, [base interface refers to the APl of software to TVMM, has encapsulated some functional modules of bottom, for calling on upper strata.] carry out these tasks, and initiate integrity measurement agency the integrality of user virtual machine is verified; Integrity measurement agency intercepts and captures all processes, comprises monitor service request, system call and hardware interrupts; System call, before handing to operating system of user kernel, can first be trapped in TVMM; Now, integrity measurement agency intercepts and captures all system calls that user virtual machine is initiated, and detects context environmental and the input parameter intercepted and captured;
Clean room state in real time monitoring relates to three processes: integrity measurement result and the protection user memory of initiatively monitoring, obtain Semantic Aware;
1) initiatively monitoring makes credible VMM can keep the up-to-date view of user virtual machine memory mapping; Once memory mapping changes,, in the time that user virtual machine creates, stops or revises consumer process or kernel module, TVMM can intercept and capture dependent event, and again initiates integrity checking; Comprise: 1. intercept and capture key user's event: in order to detect context environmental and the input of user virtual machine initiated event, once event is trapped in TVMM, integrity measurement agency checks register, software stack, the software heap of user virtual machine at once; The information detecting comprises: the instruction of event type, event argument, working procedure and stack pointer; Once kernel completes event handling, integrity measurement agency will force it to be again absorbed in TVMM; For interrupting with abnormal, the event return address being stored in kernel is become an illegal address by TVMM; Once event is returned to illegal address, the protection fault of TVMM will be caused being absorbed in.2. interception system calls: adopt the system call interception in system call Interception Technology and the kernel reentry situation in the situation of many return addresses to force system call to be intercepted and captured by TVMM before being delivered to system kernel, and make TVMM intercept and capture the system call that all user virtual machine send, and the context environmental calling and input parameter, thereby realize initiatively monitoring completely;
Integrity measurement is acted on behalf of the process that intercepting system calls: 1. process a initiates a system call; Integrity measurement agency preserves desired data, and debug registers is set; 2. kernel suspends the thread moving, calling process b; Before context switch occurs, to carry out and be trapped in TVMM, integrity measurement is acted on behalf of reset debug registers; 3. process b initiates a system call; Integrity measurement agency creates new one in list, and utilizes new value that debug registers is set; 4. kernel completes the system call of process b, and a debugger is absorbed in TVMM by instruction extremely.Before TVMM returns results to calling process, integrity measurement has been acted on behalf of the process that it is detected; 5. kernel continues calling of process a; Integrity measurement agency is known context switch, and recovers the value of the debug registers keeping; 6. called, integrity measurement agency starts to measure the storage area as calling result; 7. after load page, a protection exception occurs; This process is continued until that all pages are all loaded; 8. integrity measurement agency measures region of memory, recovers original kernel output, and returns to consumer process;
2) measurement result of obtaining complete and Semantic Aware requires operating system nucleus before working procedure, to load complete program, and is verified at once the integrality of whole program by credible VMM; Interception related system calls, and forces kernel before working procedure, to load complete routine, to guarantee to obtain complete metrical information; In the time that program code and primary data piecemeal are loaded into internal memory, the continuous hash function value that requires integrity measurement agency to calculate at once whole program is determined its integrality;
3) user memory protection: in order to guarantee only to carry out the user program of measured mistake, perfect measurement agency utilizes NX-bit page protection identification technology, once make the page from being there is protective emblem carry out instruction, will cause one to be trapped in the abnormal of TVMM; TVMM is absorbed in the renewal of all User Page tables, tests the address whether it mates the page carried out of any program association that has completed measurement, thus the information integrity that checking is obtained from user's kernel; Be modified for fear of all programs of having measured, integrity measurement agency be all designated the page carried out of all measurements and can not write; Measured the page once assailant attempts to revise, one will produce, and process is trapped in to TVMM extremely; In addition, executable operations and the write operation of a page of restriction can not occur simultaneously.
A kind of clean room cloud computing data handling system, is made up of credible virtual monitor unit TVMM, trusted node manager TNM and trusted node TN;
Wherein, credible virtual monitor unit is that TVMM is the software between hardware platform and user virtual machine, and is positioned in secure border, is responsible for the operation of monitoring virtual machine;
Trusted node be TN be positioned at secure border with, moved the node of creditable calculation modules TPM;
Trusted node manager is that TNM is positioned at beyond secure border, is not subject to the control of CSP, can be both the software that user moves, and can be also the software that user entrusts trusted third party's operation;
TN registers to TNM, TNM safeguards a registration table, in order to management be positioned at secure border with all nodes, and by the trusted node set of the record management dynamic change in increase/delete list, thereby guarantee to only have trusted node can participate in deploying virtual machine and transition process, and guarantee the fail safe of whole deployment and transition process;
Based on the use agreement of user and CSP signing, user carries out concealed measurement by credible virtual monitor unit to service execution environment; If the integrality of execution environment is destroyed, credible virtual monitor unit provides warning to user; Described use agreement has determined that CSP provides the authority of service;
Described clean room cloud computing data handling system is according to the processing of aforesaid clean room cloud computing data processing method implementation data.
The present invention is conceived to the fail safe of data and running environment, not management method.
The assailant in cloud service environment is divided into two types by the present invention: external attacker and the person of internaling attack.Wherein, external attacker is the people that some security protections layer by layer that must break through CSP can be obtained some useful information, and the person of internaling attack is the people that can obtain easily some useful data in " cloud ", for example, and CSP itself.CSP is considered as potential attacker by the present invention, and how research prevents internaling attack of cloud computing system effectively.Existing research work is mainly the entity that CSP is considered as to " honest and curious ", be that CSP will (for example normally carry out user's operational order, can maliciously not distort result of calculation), but for example, to user data very curious (, can spy on user's sensitive data).CSP not only can spy on user's data, and can carry out honestly user's operational order, and for example, malice abandons the long-term no data of user.This security model can effectively prevent that CSP from spying on user's data, and can effectively prevent that CSP from carrying out user's operational order dishonestly.
Target of the present invention is in cloud computing environment, to guarantee in all directions the fail safe of user data processing procedure and storing process, and forms a set of complete theoretical system.This design philosophy is similar to the thought of " zero-fault " in " cleanroom software engineering " or " approaching zero-fault " software development.Therefore, we propose the brand new ideas of " clean room cloud computing (Cleanroom Cloud Computing is called for short CCC) ", wish to realize by current advanced person's technology the cloud computing service of " zero-fault " or " approaching zero-fault ".As shown in Figure 1, clean room cloud computing theory is divided into calculating execution environment " service state " and " clean room state ".User signs security service agreement (Secure Service Agreement, SSA) with CSP as required.Before SSA comes into force, execution environment is in " service state ", and now CSP is sovereign power entity, is in charge of and controls all infrastructure, platform, resource and service.Once SSA comes into force, execution environment enters " clean room state ", and all rights are handed to user by CSP, and now user becomes sovereign power entity, and is in charge of and controls the every resource and the service that are stipulated by SSA.The present invention analogizes to cloud computing service in " room " of taxi, and CSP analogizes to " landlord ", and user analogizes to " lessee ".Within the lease term of validity (i.e. " clean room state "), lessee becomes " owner in room ", can add one " lock " for room.Build clean room cloud computing environment and namely guarantee that anyone (even landlord) except " owner in room " cannot spy on its privacy and destroy user's living environment, fundamentally ensures the safety of " owner in room ".Although landlord (CSP) may need to carry out necessary furniture and electric appliances service, adds, discard, but need to guarantee that any operation that landlord (CSP) carries out do not violate SSA agreement, once or make the behavior of violating SSA and will provide alarm to " owner in room " at once.
Model
Clean room cloud computing model is by credible virtual monitor unit (Trusted Virtual Machine Monitor, TVMM), trusted node manager (Trusted Node Manager, TNM) and trusted node (Trusted Node) form, as shown in Figure 2.Wherein, TVMM is the software between hardware platform and user virtual machine, and is positioned in secure border, the main operation of being responsible for monitoring virtual machine; TN for be positioned at secure border with, moved the node of creditable calculation modules (Trusted Platform Module, TPM); TNM is positioned at beyond secure border, is not subject to the control of CSP, can be both the software that user moves, and can be also the software that user entrusts trusted third party's operation.TN registers to TNM, TNM safeguards a registration table, in order to management be positioned at secure border with all nodes, and by the trusted node set of the record management dynamic change in increase/delete list, thereby guarantee to only have trusted node can participate in deploying virtual machine and transition process, and guarantee the fail safe of whole deployment and transition process.
The basic ideas that clean room cloud computing model solves comprehensive clean room computing environment are: first, realize TVMM in conjunction with reliable computing technology and Intel Virtualization Technology; Then, cooperate with TNM by TVMM, on the one hand, the execution of virtual machine is limited in TN; On the other hand, in the time that virtual machine moves in network (comprise initiate virtual machine and two kinds of situations of virtual machine (vm) migration), the state of protection virtual machine is not monitored and revise; Finally, credible while utilizing integrity verification in TVMM agency to guarantee virtual machine operation.
Clean room state security framework constructing technology
Build in order to realize clean room state security framework, need to guarantee the fail safe of following three processes: monitor of virtual machine (Virtual Machine Monitor, the fail safe of the VMM) fail safe of deployment, VMM start-up course and the fail safe of VMM running, thus realize TVMM.In order to guarantee that VMM disposes and the fail safe of start-up course, this project hypothesis node mainboard has embedded credible platform module (TPM) chip, so that the root of trust of credible calculating to be provided.In TPM, there are a series of platform configuration register (Platform Configuration Register, PCR).PCR is the measurement root of trust program of TPM, by the input/input bus between " eavesdropping " external equipment and CPU I/O control centre, obtain the measurement result of the software execution environment from external equipment to platform, and be recorded in volatile memory.User is by remote authentication mode, " challenge-reply " mechanism is obtained the measurement result in multiple PCR, and by the measurement list receiving and desired value comparison, thereby judge whether VMM is deployed on the Cloud Server that has embedded credible platform module, and judge the whether safety of start-up course of VMM.
The fail safe when difficult point that clean room state security framework builds is how to guarantee VMM operation.Existing method is that integrality and credibility when VMM is moved by the mode of remote authentication measured.Because VMM is the software that priority level is the highest, therefore, the VMM of malice may tackle remote authentication, thereby before checking is carried out, removes and attack vestige, or distort real the result.Therefore, remote authentication process must guarantee: 1. measure reconditely.The measurement of VMM need to hiddenly thickly be carried out, in order to avoid VMM finds the execution of measuring and removes any vestige.2. the atomicity of proof procedure.Proof procedure Once you begin just can not be interrupted or distort.3. measurement environment information integrity.Obtain the true context environmental of VMM, comprise data and the code of VMM, and the integrality state of CPU.4. the authenticity of measurement result.Authentication result is sent to remote authentication side safely, must not be tampered, fake.
The present invention supposes that node has been equipped can Remote triggering system management interrupt (SystemManagementInterrupt, SMI) frequency band outer channel (for example, IBM BladerCenter), utilize System Management Mode (System Management Model, SMM), IPMI (Intelligent Platform Management Interface, IPMI), and Baseboard Management Controller (Baseboard Management Controller, BMC), the dynamic integrality of the running of the mode of user by remote authentication to VMM is carried out " hidden close " and " atom " and is detected (" atom " detect refer to guarantee that proof procedure is not interrupted or distorts), obtain true, credible, complete measurement result.
When the operation of TVMM, the detection of integrality is carried out by dynamic management device (Dynamic Management, DM).DM is by two module compositions: be arranged in the system management interrupt processor (System Management Random Access Memory, SMRAM) of system management random access memory and be positioned at TVMM integrity measurement agency.User utilizes based on IPMI and BMC frequency band outer channel, realizes the dynamic integrality of VMM running is detected in the mode of far call DM.Remote authentication process as shown in Figure 3.
The demand for security of remote authentication process is as follows:
1. realize concealed measurement.The measurement of VMM need to hiddenly thickly be carried out, in order to avoid VMM finds the execution of measuring and removes " any vestige ".Realize hidden close measurement and face following two main challenges: first, the SMI being produced by BMC may be cancelled by the VMM of malice or re-route.Therefore, need to prevent that SMI from being revised by VMM.This problem can be solved by remote authentication process: if SMI is cancelled, remote entity cannot be received measurement result in finite time, thereby infers that SMI is cancelled by VMM malice.Secondly, VMM has the ability that triggers SMI, can call to conceal original SMI by puppet measurement and call, and removes " attack vestige ".Therefore, in order to distinguish by frequency band outer channel, calling with the puppet of VMM of SMI called, this project adopts a series of status registers that can not be distorted by software (comprising VMM) to store the type that SMI calls, and adopt universal input port routing table to record the interrupt type that each universal input port produces, guarantee to only have the universal input port being connected with BMC could trigger SMI.
2. guarantee the integrality of DM assembly.Because measurement agent is arranged in VMM, therefore, before measuring execution, need to guarantee the integrality of measurement agent.First, need to realize the credible startup (as shown in Figure 4) of SMI processor, the credible measurement root of core (Core Root ofTrust Measurement from BIOS, CRTM) inspection of complete self-examination and executable code starts, until all component is all measured complete in start-up course.Secondly, need to guarantee that SMI processor is before calling measurement agent, first computation and measurement is acted on behalf of the cryptographic Hash of correlative code, with confirmatory measurement agency's integrality.
3. guarantee that proof procedure Once you begin just does not allow to be interrupted or to distort, guarantee the continuity of proof procedure, that is to say and guarantee that this checking is initial that original checking of initiating always.In order to guarantee that proof procedure Once you begin just can not be interrupted or distort, there is interruption or abnormal once adopt correlation technique assurance to measure in implementation, measure control stream and will directly forward SMI processor to.
4. guarantee measurement environment information integrity.Obtain complete, the real context environmental of VMM, comprise data and the code of VMM, in the time being interrupted by SMI, CPU may be in VMM/ root operator scheme, also may be in user virtual machine/non-operator scheme.Only, when CPU operates under root operator scheme, measurement agent can obtain complete metrical information by interrupts of CPU; And in the time that CPU operates in non-operator scheme, measurement agent cannot obtain any metrical information.Therefore, project adopts rollback technology, by injecting an instruction that causes virtual machine unconditionally to exit, forces CPU core to transfer to VMM from user virtual machine.Whole process VMM can not discover, also uncontrollable.Back off procedure is as follows: keep the value in all registers, and next instruction and address; Inject a privileged instruction and replace next instruction; Once an event is counted, Performance register is set for overflowing; Revise Advanced Programmable Interrupt Controllers APICs (Local Advanced Programmable Interrupt Controller, LAPIC) to such an extent as to Performance register overflows and causes SMI to interrupt.
5. guarantee measurement result authenticity.Authentication result is sent to remote authentication side safely, must not be tampered, fake.
As shown in Figure 5, model adopts remote authentication mode to guarantee the authenticity of result.In system starting process, for platform produces a public/private keys pair, before pinning SMRAM, private key is left in SMRAM, and PKI is left in the static PCR of TPM.In order to obtain the result of measuring process, long-distance user sends a request and a random number is acted on behalf of to checking.Checking agency produces two different signature values by obtaining based on random number: first is static authentication output, by TPM private key signature; Second is the result of measuring, by the private key signature of SMI processor.By relatively sign can judged result authenticity.
Clean room state safety transfer technology
In order to realize the safety transfer of virtual machine, need to guarantee: 1. deploying virtual machine is in a trusted node.2. the fail safe of virtual machine moving process between user side and trusted node.3. in virtual machine (vm) migration process, guarantee the fail safe of virtual machine moving process between trusted node.In whole transition process, CSP cannot monitor or destroy initial condition and the executing state of virtual machine.
TNM safeguards a trusted node aggregate list, record be positioned at secure border with the public endorsement key of node, this node and the measurement list of expecting, and announce the endorsement key PKI of oneself, measurement list and the trusted key PKI of expectation.Between TNM and trusted node, carry out the credibility of mutual verification platform by the integrality of remote authentication confirmatory measurement list.In order to realize the fail safe of virtual machine executing state transition process between node, first need to guarantee that source node and destination node are all trusted node, secondly need to guarantee that virtual machine state is safe in transition process.Therefore, in transition process, the credibility of source node request TNM checking destination node.If source node and destination node are all arranged in trusted node set, TNM allows two nodes directly communicate.Between source node and destination node, consult a session key, encrypt the relevant information in virtual machine (vm) migration process.In order to guarantee integrality and the fail safe of virtual machine (vm) migration process, source node calculates the cryptographic Hash of virtual machine identity, and will after virtual machine identity and cryptographic Hash encryption, pass to destination node.
Virtual machine (vm) migration process as shown in Figure 6.In order to realize the fail safe of virtual machine executing state transition process between node, first need to guarantee source node N swith destination node N dbe all trusted node, secondly need to guarantee that virtual machine state is safe in transition process.
1) N srequest TNM checking N dcredibility.N sfirst select a challenge of initiating to TNM
Figure BDA0000474278530000131
then utilize the private key of its trusted key
Figure BDA0000474278530000132
encrypted challenge and N didentity
Figure BDA0000474278530000133
finally by produce ciphertext and
Figure BDA0000474278530000134
with the PKI of the trusted key of TNM
Figure BDA0000474278530000135
encrypt, and the result of generation is sent to TNM.
2) credibility of TNM checking source node and destination node.First, TNM utilizes the private key of its trusted key decrypt, and checking N sidentity whether be arranged in trusted node set.If N sbe trusted node, utilize N sthe PKI of trusted key
Figure BDA0000474278530000137
deciphering
Figure BDA0000474278530000138
and challenge, and checking N didentity whether be arranged in trusted node set.If N dbe trusted node, utilize N sthe PKI of trusted key
Figure BDA0000474278530000139
encrypted challenge and N dthe PKI of trusted key
Figure BDA0000474278530000141
finally, again encrypt the ciphertext of generation with the private key of its trusted key, and result is returned to N s.
3) N swith N dbetween consult a session key SK, to guarantee the state confidentiality in VM transition process.N safter decrypt, can obtain N dthe PKI of trusted key
Figure BDA0000474278530000142
n sfirst select a session key SK, and to N dinitiate a challenge
Figure BDA0000474278530000143
then, utilize the private key of its trusted key encrypt SK and
Figure BDA0000474278530000145
finally, utilize N dthe PKI of trusted key encrypt the identity of oneself and the ciphertext of generation, and result is sent to N d.
4) before the key that accepts session, N dfirst verify N swhether credible.N dfirst utilize the private key of its trusted key
Figure BDA0000474278530000147
decrypt N sidentity
Figure BDA0000474278530000148
then, N dinitiate a challenge to TNM
Figure BDA0000474278530000149
and utilize the private key of its trusted key
Figure BDA00004742785300001410
encrypted challenge and
Figure BDA00004742785300001411
finally utilize TNM trusted key public key encryption produce ciphertext and
Figure BDA00004742785300001412
and result is sent to TNM.
5) TNM decrypts N sand N didentity, verify whether both are trusted node.If so, first utilize N dthe private key of trusted key
Figure BDA00004742785300001413
encrypted challenge and N sthe PKI of trusted key
Figure BDA00004742785300001414
finally, with its trusted key private key
Figure BDA00004742785300001415
encrypt the ciphertext generating, and the result of generation is returned to N d.
6) if mutually authenticated N dthe reply key SK that accepts session, and utilize SK encrypted challenge
Figure BDA00004742785300001416
after, send to N s.
7) in order to guarantee integrality and the confidentiality of virtual machine (vm) migration process, N scalculate the cryptographic Hash of virtual machine identity, and will after virtual machine identity and cryptographic Hash encryption, pass to N d.
Clean room state Real-time Monitor Technique
The virtual machine that TVMM operation is two types: user virtual machine and managing virtual machines.Managing virtual machines is responsible for memory space, the internal memory of configure user virtual machine, determines the strategy of employing, for user virtual machine provides high-level interface.TVMM carries out these tasks for managing virtual machines provides a base interface, and initiates integrity measurement agency the integrality of user virtual machine is verified.Integrity measurement agency intercepts and captures all processes, comprises monitor service request, system call and hardware interrupts.System call, before handing to operating system of user kernel, can first be trapped in TVMM.Now, integrity measurement agency intercepts and captures all system calls that user virtual machine is initiated, and detects context environmental and the input parameter intercepted and captured.
Clean room state in real time monitoring relates to three processes: integrity measurement result and the protection user memory of initiatively monitoring, obtain Semantic Aware.
1) initiatively monitoring (interception comprises system call, interruption and abnormal) makes credible VMM can keep the up-to-date view of user virtual machine memory mapping.Once memory mapping changes,, in the time that user virtual machine creates, stops or revises consumer process or kernel module, TVMM can intercept and capture dependent event, and again initiates integrity checking.Mainly comprise: 1. intercept and capture key user's event.In order to detect context environmental and the input of user virtual machine initiated event, once event is trapped in TVMM, integrity measurement agency checks register, software stack, the software heap of user virtual machine at once.The information detecting comprises: the instruction of event type, event argument, working procedure and stack pointer.Once kernel completes event handling, integrity measurement agency will force it to be again absorbed in TVMM.For interrupting with abnormal, the event return address being stored in kernel is become an illegal address by TVMM.Once event is returned to illegal address, the protection fault of TVMM will be caused being absorbed in.2. interception system calls.Simply utilize rewriting system call return address technology effectively intercepting system call because system call has multiple return addresses conventionally, and there is kernel reentry situation.For both of these case, can adopt the system call interception in system call Interception Technology and the kernel reentry situation in the situation of many return addresses to force system call to be intercepted and captured by TVMM before being delivered to system kernel, and make TVMM intercept and capture the system call that all user virtual machine send, and the context environmental calling and input parameter, thereby realize initiatively monitoring completely.
Integrity measurement is acted on behalf of process that intercepting system calls as shown in Figure 7.1. process a initiates a system call.Integrity measurement agency preserves desired data, and debug registers is set.2. kernel suspends the thread moving, calling process b.Before context switch occurs, to carry out and be trapped in TVMM, integrity measurement is acted on behalf of reset debug registers.3. process b initiates a system call.Integrity measurement agency creates new one in list, and utilizes new value that debug registers is set.4. kernel completes the system call of process b, and a debugger is absorbed in TVMM by instruction extremely.Before TVMM returns results to calling process, integrity measurement has been acted on behalf of the process that it is detected.5. kernel continues calling of process a.Integrity measurement agency is known context switch, and recovers the value of the debug registers keeping.6. called, integrity measurement agency starts to measure the storage area as calling result.7. after load page, a protection exception occurs.This process is continued until that all pages are all loaded.8. integrity measurement agency measures region of memory, recovers original kernel output, and returns to consumer process.
2) measurement result of obtaining complete and Semantic Aware requires operating system nucleus before working procedure, to load complete program, and is verified at once the integrality of whole program by credible VMM.Therefore, 1. need to tackle related system and call, and force kernel before working procedure, to load complete routine, to guarantee to obtain complete metrical information; 2. in the time that program code and primary data piecemeal are loaded into internal memory, the continuous hash function value that requires integrity measurement agency to calculate at once whole program is determined its integrality.
3) user memory protection requires: 1. user virtual machine can only be carried out the user program of measured mistake.2. user can find any illegal modifications to the user program of measuring.In order to guarantee only to carry out the user program of measured mistake, perfect measurement agency utilizes NX-bit page protection identification technology, once make the page from being had protective emblem carry out instruction, will cause one to be trapped in the abnormal of TVMM.TVMM is absorbed in the renewal of all User Page tables, tests the address whether it mates the page carried out of any program association that has completed measurement, thus the information integrity that checking is obtained from user's kernel.Be modified for fear of all programs of having measured, integrity measurement agency be all designated the page carried out of all measurements and can not write.Measured the page once assailant attempts to revise, one will produce, and process is trapped in to TVMM extremely.In addition, executable operations and the write operation of a page of restriction can not occur simultaneously.
Beneficial effect:
Clean room cloud computing data processing method of the present invention and system, take clean room cloud computing model as framework, take clean room state security framework constructing technology, clean room state safety transfer technology and clean room state Real-time Monitor Technique as technological means; Described clean room cloud computing model is made up of credible virtual monitor unit (TVMM), trusted node manager (TNM) and trusted node (TN); Realize believable monitor of virtual machine by clean room state security framework constructing technology, ensure that monitor of virtual machine is disposed, the fail safe of start-up and operation process; Realize the deployment of virtual machine in trusted node by clean room state safety transfer technology, ensure the fail safe of virtual machine (vm) migration process; By clean room state Real-time Monitor Technique, the dynamic integrality while realizing virtual machine operation; Based on the use agreement of user and cloud service provider (CSP) signing, user carries out concealed measurement by credible virtual monitor unit to service execution environment, thereby service execution environmental limitations, in safe border, is realized to the safety isolation/virtual locking mechanisms of clean room state; If the integrality of execution environment is destroyed, credible virtual monitor unit provides warning to user; Described use agreement is relevant expense mode and the restricted responsibility content with usage platform service of signing between user and CSP.This clean room cloud computing data processing method and system have advantages of safe.
Clean room cloud computing theory has comprised cloud service " service state " and " clean room state " these two brand-new scientific concepts, and Intel Virtualization Technology and reliable computing technology are organically combined, and realizes the safety isolation/virtual locking mechanisms under clean room state.First, realize TVMM in conjunction with reliable computing technology and Intel Virtualization Technology; Then, cooperate with TNM by TVMM, on the one hand, the execution of virtual machine is limited in trusted node; On the other hand, in the time that virtual machine moves in network (comprise initiate virtual machine and two kinds of situations of virtual machine (vm) migration), the state of protection virtual machine is not monitored and revise; Finally, credible while utilizing integrity verification in TVMM agency to guarantee virtual machine operation.
At present, be the important research direction that realizes secure cloud calculation services in conjunction with reliable computing technology and Intel Virtualization Technology.On the one hand, utilize isolation mech isolation test that Intel Virtualization Technology provides by entity running space separately, by the behavior of monitoring mechanism dynamic measurement entity, find and get rid of unexpected phase mutual interference.On the other hand, ensure the dynamic integrality of virtual machine by credible tolerance mechanism, realize the credible intercommunication of different virtual environment by credible report mechanism, realize Data Migration, storage and access control by trusted storage mechanism.But, current work endeavour chamber in the safety of cloud service that realizes specific level, cannot arrive the comprehensively clean target of cloud service.Facing cloud calculation services environment of the present invention, use for reference the thought of exploitation " zero-fault " or " approaching zero-fault " software in " cleanroom software engineering ", combined with virtual technology and reliable computing technology, build from clean room state security framework, to VMM deployment, operation and VM migration and operation, realize the clean room cloud computing service environment of the safety isolation/virtual locking mechanisms under clean room state.
Clean room cloud computing data processing method of the present invention and system, be conducive to make full use of the advantage such as cloud computing is ultra-large, virtual, when user brings efficient, extendible on-demand service, farthest ensures user's data security and privacy; Make full use of that computing technique fast development, computational resource are become stronger day by day, rich and varied the brought new demand of application mode and the new opportunity that provides, analyze the great change in the cloud computing security strategy of bringing therefrom, towards novel computing environment, preemption techniques commanding elevation in the new situation, strengthen self competitiveness, make China's information industry in the new century, step into world's rank of advanced units, meet the great demand of China's strategic development, for China is information-based and industrialized fusion and development power-assisted, for the enterprise that uses cloud computing technology brings great economic benefit.
The hierarchical system structure of facing cloud calculation services of the present invention, build one dynamic, autonomous with believable clean room computational resource pond as basis, realize the conversion between " service state " and " clean room state ", guarantee fail safe, reliability and the integrality of data handling procedure, to meet, large-scale data walks abreast and the reliability requirement of distributed treatment, progressively set up clean room cloud computing theory system of new generation, for the technological innovation of the new application of cloud computing provides basic theory support.
The clean room cloud computing theory that the present invention proposes is to guarantee that cloud computing service key feature is as prerequisite, by farthest guaranteeing the safety of user data processing procedure, promote cloud computing technology can really be dissolved into as a kind of emerging computation model in the middle of the production and life of human society, just convenient and practical and safe and reliable as people use running water, electricity, coal gas, thus larger economic benefit and social benefit brought.
Accompanying drawing explanation
Fig. 1. in clean room cloud computing, serve the conversion schematic diagram between state and clean room state;
Fig. 2. clean room cloud computing model schematic diagram;
Fig. 3. the process schematic diagram of Dynamic Execution environment remote authentication;
Fig. 4 .SMI is credible start-up course schematic diagram;
Fig. 5. remote authentication TVMM process schematic diagram;
The process schematic diagram that Fig. 6 .VM moves between trusted node;
Fig. 7. integrity measurement is acted on behalf of the process schematic diagram that intercepting system calls;
Embodiment
Below with reference to the drawings and specific embodiments, the present invention is described in further details:
Embodiment 1:
A kind of clean room cloud computing data processing method, take clean room cloud computing model as framework;
Described clean room cloud computing model is made up of credible virtual monitor unit TVMM, trusted node manager TNM and trusted node TN;
Wherein, credible virtual monitor unit is that TVMM is the software between hardware platform and user virtual machine, and is positioned in secure border, is responsible for the operation of monitoring virtual machine;
Trusted node be TN for be positioned at secure border with, moved the node of creditable calculation modules (Trusted Platform Module, TPM);
Trusted node manager is that TNM is positioned at beyond secure border, is not subject to the control of CSP, can be both the software that user moves, and can be also the software that user entrusts trusted third party's operation;
TN registers to TNM, TNM safeguards a registration table, in order to management be positioned at secure border with all nodes, and by the trusted node set of the record management dynamic change in increase/delete list, thereby guarantee to only have trusted node can participate in deploying virtual machine and transition process, and guarantee the fail safe of whole deployment and transition process;
Based on the use agreement of user and CSP signing, user carries out concealed measurement by credible virtual monitor unit to service execution environment; If the integrality of execution environment is destroyed, credible virtual monitor unit provides warning to user;
Described use agreement has determined that CSP provides the authority of service.
The situation of violating described use agreement comprises spies on, distorts and destroy service execution environment, is also user virtual machine.
Embed credible platform module (TPM) chip at the mainboard of trusted node, so that the root of trust of credible calculating to be provided; In TPM, there are a series of platform configuration register (Platform Configuration Register, PCR); PCR is the measurement root of trust program of TPM, monitor the input/input bus between external equipment and CPU I/O control centre by secret, obtain the measurement result of the software execution environment from external equipment to platform, and be recorded in volatile memory; User is by remote authentication mode, " challenge-reply " mechanism is obtained the measurement result in multiple PCR, and by the measurement list receiving and desired value comparison, thereby judge whether VMM is deployed on the Cloud Server that has embedded credible platform module, and judge the whether safety of start-up course of VMM;
In remote authentication process, obtain the true context environmental of VMM, comprise data and the code of VMM, and the integrality state of CPU; Authentication result is sent to remote authentication side safely, and is not tampered and fakes;
Having equipped in trusted node can Remote triggering system management interrupt (System Management Interrupt, SMI) frequency band outer channel (for example, IBM BladerCenter), utilize System Management Mode (System Management Model, SMM), IPMI (Intelligent Platform Management Interface, IPMI), and Baseboard Management Controller (Baseboard Management Controller, BMC), the dynamic integrality of the running of the mode of user by remote authentication to VMM is carried out hidden close detection, and guarantee that proof procedure is not interrupted or distorts, obtain true, credible, complete measurement result.
When the operation of TVMM, the detection of integrality is carried out by dynamic management device (Dynamic Management, DM); DM is by two module compositions: be arranged in the system management interrupt processor (System Management Random Access Memory, SMRAM) of system management random access memory and be positioned at TVMM integrity measurement agency; User utilizes based on IPMI and BMC frequency band outer channel, realizes the dynamic integrality of VMM running is detected in the mode of far call DM.
In remote authentication process:
1. realize concealed measurement: the SMI first being produced by BMC may be cancelled by the VMM of malice or re-route; If SMI is cancelled, remote entity cannot be received measurement result in finite time, thereby infer that SMI is cancelled by VMM malice; Secondly, VMM has the ability that triggers SMI, can call to conceal original SMI by puppet measurement and call; In order to distinguish by frequency band outer channel, calling with the puppet of VMM of SMI called, adopt a series of status registers that can not be distorted by software to store the type that SMI calls, and adopt universal input port routing table to record the interrupt type that each universal input port produces, guarantee to only have the universal input port being connected with BMC could trigger SMI;
2. guarantee the integrality of DM assembly: first, need to realize the credible startup of SMI processor, the credible measurement root of core (Core Root ofTrust Measurement from BIOS, CRTM) inspection of complete self-examination and executable code starts, until all component is all measured complete in start-up course; Secondly, need to guarantee that SMI processor is before calling measurement agent, first computation and measurement is acted on behalf of the cryptographic Hash of correlative code, with confirmatory measurement agency's integrality;
3. guarantee that proof procedure is not interrupted or distorts: in order to guarantee that proof procedure Once you begin just can not be interrupted or distort, once guarantee to measure in implementation, interruption or abnormal has occurred, stream is controlled in measurement will directly forward SMI processor to;
4. guarantee measurement environment information integrity: obtain complete, the real context environmental of VMM, comprise data and the code of VMM, in the time being interrupted by SMI, adopt rollback technology, by injecting an instruction that causes virtual machine unconditionally to exit, force CPU core to transfer to VMM from user virtual machine; Back off procedure is as follows: keep the value in all registers, and next instruction and address; Inject a privileged instruction and replace next instruction; Once an event is counted, Performance register is set for overflowing; Revise Advanced Programmable Interrupt Controllers APICs (Local Advanced Programmable Interrupt Controller, LAPIC) to such an extent as to Performance register overflows and causes SMI to interrupt;
Model adopts remote authentication mode to guarantee the authenticity of result: in system starting process, for platform produces a public/private keys pair, before pinning SMRAM, private key is left in SMRAM, and PKI is left in the static PCR of TPM; In order to obtain the result of measuring process, long-distance user sends a request and a random number is acted on behalf of to checking; Checking agency produces two different signature values by obtaining based on random number: first is static authentication output, by TPM private key signature; Second is the result of measuring, by the private key signature of SMI processor; By relatively sign can judged result authenticity.
TNM safeguards a trusted node aggregate list, record be positioned at secure border with the public endorsement key of node, this node and the measurement list of expecting, and announce the endorsement key PKI of oneself, measurement list and the trusted key PKI of expectation; Between TNM and trusted node, carry out the credibility of mutual verification platform by the integrality of remote authentication confirmatory measurement list; In transition process, the credibility of source node request TNM checking destination node; If source node and destination node are all arranged in trusted node set, TNM allows two nodes directly to communicate; Between source node and destination node, consult a session key, encrypt the relevant information in virtual machine (vm) migration process; In order to guarantee integrality and the fail safe of virtual machine (vm) migration process, source node calculates the cryptographic Hash of virtual machine identity, and will after virtual machine identity and cryptographic Hash encryption, pass to destination node;
Concrete credible virtual machine transition process is as follows:
1) N srequest TNM checking N dcredibility: N sfirst select a challenge of initiating to TNM
Figure BDA0000474278530000211
then utilize the private key of its trusted key
Figure BDA0000474278530000212
encrypted challenge and N didentity
Figure BDA0000474278530000213
finally by produce ciphertext and
Figure BDA0000474278530000214
with the PKI of the trusted key of TNM
Figure BDA0000474278530000215
encrypt, and the result of generation is sent to TNM;
2) credibility of TNM checking source node and destination node: first, TNM utilizes the private key of its trusted key
Figure BDA0000474278530000216
decrypt, and checking N sidentity whether be arranged in trusted node set; If N sbe trusted node, utilize N sthe PKI of trusted key
Figure BDA0000474278530000217
deciphering
Figure BDA0000474278530000218
and challenge, and checking N didentity whether be arranged in trusted node set; If N dbe trusted node, utilize N sthe PKI of trusted key
Figure BDA0000474278530000219
encrypted challenge and N dthe PKI of trusted key
Figure BDA00004742785300002110
finally, again encrypt the ciphertext of generation with the private key of its trusted key, and result is returned to N s;
3) N swith N dbetween consult a session key SK, to guarantee the state confidentiality in VM transition process, N safter decrypt, can obtain N dthe PKI of trusted key n sfirst select a session key SK, and to N dinitiate a challenge
Figure BDA00004742785300002112
then, utilize the private key of its trusted key
Figure BDA00004742785300002113
encrypt SK and
Figure BDA00004742785300002114
finally, utilize N dthe PKI of trusted key
Figure BDA00004742785300002115
encrypt the identity of oneself and the ciphertext of generation, and result is sent to N d;
4) before the key that accepts session, N dfirst verify N swhether credible; N dfirst utilize the private key of its trusted key
Figure BDA00004742785300002116
decrypt N sidentity
Figure BDA00004742785300002117
then, N dinitiate a challenge to TNM
Figure BDA00004742785300002118
and utilize the private key of its trusted key encrypted challenge and finally utilize TNM trusted key public key encryption produce ciphertext and
Figure BDA0000474278530000221
and result is sent to TNM;
5) TNM decrypts N sand N didentity, verify whether both are trusted node; If so, first utilize N dthe private key of trusted key
Figure BDA0000474278530000222
encrypted challenge and N sthe PKI of trusted key
Figure BDA0000474278530000223
finally, with its trusted key private key
Figure BDA0000474278530000224
encrypt the ciphertext generating, and the result of generation is returned to N d;
6) if mutually authenticated N dthe reply key SK that accepts session, and utilize SK encrypted challenge
Figure BDA0000474278530000225
after, send to N s;
7) in order to guarantee integrality and the confidentiality of virtual machine (vm) migration process, N scalculate the cryptographic Hash of virtual machine identity, and will after virtual machine identity and cryptographic Hash encryption, pass to N d.
The virtual machine that TVMM operation is two types: user virtual machine and managing virtual machines; Managing virtual machines is responsible for memory space, the internal memory of configure user virtual machine, determines the strategy of employing, for user virtual machine provides high-level interface; TVMM carries out these tasks for managing virtual machines provides a base interface, and initiates integrity measurement agency the integrality of user virtual machine is verified; Integrity measurement agency intercepts and captures all processes, comprises monitor service request, system call and hardware interrupts; System call, before handing to operating system of user kernel, can first be trapped in TVMM; Now, integrity measurement agency intercepts and captures all system calls that user virtual machine is initiated, and detects context environmental and the input parameter intercepted and captured;
Clean room state in real time monitoring relates to three processes: integrity measurement result and the protection user memory of initiatively monitoring, obtain Semantic Aware;
1) initiatively monitoring makes credible VMM can keep the up-to-date view of user virtual machine memory mapping; Once memory mapping changes,, in the time that user virtual machine creates, stops or revises consumer process or kernel module, TVMM can intercept and capture dependent event, and again initiates integrity checking; Comprise: 1. intercept and capture key user's event: in order to detect context environmental and the input of user virtual machine initiated event, once event is trapped in TVMM, integrity measurement agency checks register, software stack, the software heap of user virtual machine at once; The information detecting comprises: the instruction of event type, event argument, working procedure and stack pointer; Once kernel completes event handling, integrity measurement agency will force it to be again absorbed in TVMM; For interrupting with abnormal, the event return address being stored in kernel is become an illegal address by TVMM; Once event is returned to illegal address, the protection fault of TVMM will be caused being absorbed in.2. interception system calls: adopt the system call interception in system call Interception Technology and the kernel reentry situation in the situation of many return addresses to force system call to be intercepted and captured by TVMM before being delivered to system kernel, and make TVMM intercept and capture the system call that all user virtual machine send, and the context environmental calling and input parameter, thereby realize initiatively monitoring completely;
Integrity measurement is acted on behalf of the process that intercepting system calls: 1. process a initiates a system call; Integrity measurement agency preserves desired data, and debug registers is set; 2. kernel suspends the thread moving, calling process b; Before context switch occurs, to carry out and be trapped in TVMM, integrity measurement is acted on behalf of reset debug registers; 3. process b initiates a system call; Integrity measurement agency creates new one in list, and utilizes new value that debug registers is set; 4. kernel completes the system call of process b, and a debugger is absorbed in TVMM by instruction extremely.Before TVMM returns results to calling process, integrity measurement has been acted on behalf of the process that it is detected; 5. kernel continues calling of process a; Integrity measurement agency is known context switch, and recovers the value of the debug registers keeping; 6. called, integrity measurement agency starts to measure the storage area as calling result; 7. after load page, a protection exception occurs; This process is continued until that all pages are all loaded; 8. integrity measurement agency measures region of memory, recovers original kernel output, and returns to consumer process;
2) measurement result of obtaining complete and Semantic Aware requires operating system nucleus before working procedure, to load complete program, and is verified at once the integrality of whole program by credible VMM; Interception related system calls, and forces kernel before working procedure, to load complete routine, to guarantee to obtain complete metrical information; In the time that program code and primary data piecemeal are loaded into internal memory, the continuous hash function value that requires integrity measurement agency to calculate at once whole program is determined its integrality;
3) user memory protection: in order to guarantee only to carry out the user program of measured mistake, perfect measurement agency utilizes NX-bit page protection identification technology, once make the page from being there is protective emblem carry out instruction, will cause one to be trapped in the abnormal of TVMM; TVMM is absorbed in the renewal of all User Page tables, tests the address whether it mates the page carried out of any program association that has completed measurement, thus the information integrity that checking is obtained from user's kernel; Be modified for fear of all programs of having measured, integrity measurement agency be all designated the page carried out of all measurements and can not write; Measured the page once assailant attempts to revise, one will produce, and process is trapped in to TVMM extremely; In addition, executable operations and the write operation of a page of restriction can not occur simultaneously.
A kind of clean room cloud computing data handling system, is made up of credible virtual monitor unit TVMM, trusted node manager TNM and trusted node TN;
Wherein, credible virtual monitor unit is that TVMM is the software between hardware platform and user virtual machine, and is positioned in secure border, is responsible for the operation of monitoring virtual machine;
Trusted node be TN be positioned at secure border with, moved the node of creditable calculation modules TPM;
Trusted node manager is that TNM is positioned at beyond secure border, is not subject to the control of CSP, can be both the software that user moves, and can be also the software that user entrusts trusted third party's operation;
TN registers to TNM, TNM safeguards a registration table, in order to management be positioned at secure border with all nodes, and by the trusted node set of the record management dynamic change in increase/delete list, thereby guarantee to only have trusted node can participate in deploying virtual machine and transition process, and guarantee the fail safe of whole deployment and transition process;
Based on the use agreement of user and CSP signing, user carries out concealed measurement by credible virtual monitor unit to service execution environment; If the integrality of execution environment is destroyed, credible virtual monitor unit provides warning to user; Described use agreement has determined that CSP provides the authority of service;
Described clean room cloud computing data handling system is according to the processing of aforesaid clean room cloud computing data processing method implementation data.

Claims (6)

1. a clean room cloud computing data processing method, is characterized in that, take clean room cloud computing model as framework;
Described clean room cloud computing model is made up of credible virtual monitor unit TVMM, trusted node manager TNM and trusted node TN;
Wherein, credible virtual monitor unit is that TVMM is the software between hardware platform and user virtual machine, and is positioned in secure border, is responsible for the operation of monitoring virtual machine;
Trusted node be TN be positioned at secure border with, moved the node of creditable calculation modules TPM;
Trusted node manager is that TNM is positioned at beyond secure border, is not subject to the control of CSP, can be both the software that user moves, and can be also the software that user entrusts trusted third party's operation;
TN registers to TNM, TNM safeguards a registration table, in order to management be positioned at secure border with all nodes, and by the trusted node set of the record management dynamic change in increase/delete list, thereby guarantee to only have trusted node can participate in deploying virtual machine and transition process, and guarantee the fail safe of whole deployment and transition process;
Based on the use agreement of user and CSP signing, user carries out concealed measurement by credible virtual monitor unit to service execution environment; If the integrality of execution environment is destroyed, credible virtual monitor unit provides warning to user;
Described use agreement has determined that CSP provides the authority of service.
2. clean room cloud computing data processing method according to claim 1, is characterized in that, the situation of violating described use agreement comprises spies on, distorts and destroy service execution environment, is also user virtual machine.
3. clean room cloud computing data processing method according to claim 2, is characterized in that, has embedded credible platform module chip at the mainboard of trusted node, so that the root of trust of credible calculating to be provided; In TPM, there are a series of platform configuration register, PCR; PCR is the measurement root of trust program of TPM, monitor the input/input bus between external equipment and CPU I/O control centre by secret, obtain the measurement result of the software execution environment from external equipment to platform, and be recorded in volatile memory; User is by remote authentication mode, " challenge-reply " mechanism is obtained the measurement result in multiple PCR, and by the measurement list receiving and desired value comparison, thereby judge whether VMM is deployed on the Cloud Server that has embedded credible platform module, and judge the whether safety of start-up course of VMM;
In remote authentication process, obtain the true context environmental of VMM, comprise data and the code of VMM, and the integrality state of CPU; Authentication result is sent to remote authentication side safely, and is not tampered and fakes;
Trusted node equipped can Remote triggering system management interrupt frequency band outer channel, utilize System Management Mode, IPMI and Baseboard Management Controller, the dynamic integrality of the running of the mode of user by remote authentication to VMM is carried out hidden close detection, and guarantee that proof procedure is not interrupted or distorts, obtain true, credible, complete measurement result.
When the operation of TVMM, the detection of integrality is carried out by dynamic management device; DM is by two module compositions: be arranged in the system management interrupt processor of system management random access memory and be positioned at TVMM integrity measurement agency; User utilizes based on IPMI and BMC frequency band outer channel, realizes the dynamic integrality of VMM running is detected in the mode of far call DM.
In remote authentication process:
1. realize concealed measurement: the SMI first being produced by BMC may be cancelled by the VMM of malice or re-route; If SMI is cancelled, remote entity cannot be received measurement result in finite time, thereby infer that SMI is cancelled by VMM malice; Secondly, VMM has the ability that triggers SMI, can call to conceal original SMI by puppet measurement and call; In order to distinguish by frequency band outer channel, calling with the puppet of VMM of SMI called, adopt a series of status registers that can not be distorted by software to store the type that SMI calls, and adopt universal input port routing table to record the interrupt type that each universal input port produces, guarantee to only have the universal input port being connected with BMC could trigger SMI;
2. guarantee the integrality of DM assembly: first, need to realize the credible startup of SMI processor, the core complete self-examination of credible measurement root from BIOS and the inspection of executable code start, until all component is all measured complete in start-up course; Secondly, need to guarantee that SMI processor is before calling measurement agent, first computation and measurement is acted on behalf of the cryptographic Hash of correlative code, with confirmatory measurement agency's integrality;
3. guarantee that proof procedure is not interrupted or distorts: in order to guarantee that proof procedure Once you begin just can not be interrupted or distort, once guarantee to measure in implementation, interruption or abnormal has occurred, stream is controlled in measurement will directly forward SMI processor to;
4. guarantee measurement environment information integrity: obtain complete, the real context environmental of VMM, comprise data and the code of VMM, in the time being interrupted by SMI, adopt rollback technology, by injecting an instruction that causes virtual machine unconditionally to exit, force CPU core to transfer to VMM from user virtual machine; Back off procedure is as follows: keep the value in all registers, and next instruction and address; Inject a privileged instruction and replace next instruction; Once an event is counted, Performance register is set for overflowing; Revising Advanced Programmable Interrupt Controllers APICs to such an extent as to Performance register overflows and causes a SMI to interrupt;
Model adopts remote authentication mode to guarantee the authenticity of result: in system starting process, for platform produces a public/private keys pair, before pinning SMRAM, private key is left in SMRAM, and PKI is left in the static PCR of TPM; In order to obtain the result of measuring process, long-distance user sends a request and a random number is acted on behalf of to checking; Checking agency produces two different signature values by obtaining based on random number: first is static authentication output, by TPM private key signature; Second is the result of measuring, by the private key signature of SMI processor; By relatively sign can judged result authenticity.
4. clean room cloud computing data processing method according to claim 2, is characterized in that,
TNM safeguards a trusted node aggregate list, record be positioned at secure border with the public endorsement key of node, this node and the measurement list of expecting, and announce the endorsement key PKI of oneself, measurement list and the trusted key PKI of expectation; Between TNM and trusted node, carry out the credibility of mutual verification platform by the integrality of remote authentication confirmatory measurement list; In transition process, the credibility of source node request TNM checking destination node; If source node and destination node are all arranged in trusted node set, TNM allows two nodes directly to communicate; Between source node and destination node, consult a session key, encrypt the relevant information in virtual machine (vm) migration process; In order to guarantee integrality and the fail safe of virtual machine (vm) migration process, source node calculates the cryptographic Hash of virtual machine identity, and will after virtual machine identity and cryptographic Hash encryption, pass to destination node;
Concrete credible virtual machine transition process is as follows:
1) N srequest TNM checking N dcredibility: N sfirst select a challenge of initiating to TNM
Figure FDA0000474278520000031
then utilize the private key of its trusted key
Figure FDA0000474278520000032
encrypted challenge and N didentity
Figure FDA0000474278520000033
finally by produce ciphertext and
Figure FDA0000474278520000034
with the PKI of the trusted key of TNM
Figure FDA0000474278520000035
encrypt, and the result of generation is sent to TNM;
2) credibility of TNM checking source node and destination node: first, TNM utilizes the private key of its trusted key
Figure FDA0000474278520000036
decrypt, and checking N sidentity whether be arranged in trusted node set; If N sbe trusted node, utilize N sthe PKI of trusted key
Figure FDA0000474278520000037
deciphering
Figure FDA0000474278520000038
and challenge, and checking N didentity whether be arranged in trusted node set; If N dbe trusted node, utilize N sthe PKI of trusted key
Figure FDA0000474278520000039
encrypted challenge and N dthe PKI of trusted key finally, again encrypt the ciphertext of generation with the private key of its trusted key, and result is returned to N s;
3) N swith N dbetween consult a session key SK, to guarantee the state confidentiality in VM transition process, N safter decrypt, can obtain N dthe PKI of trusted key
Figure FDA0000474278520000042
n sfirst select a session key SK, and to N dinitiate a challenge
Figure FDA0000474278520000043
then, utilize the private key of its trusted key
Figure FDA0000474278520000044
encrypt SK and
Figure FDA0000474278520000045
finally, utilize N dthe PKI of trusted key
Figure FDA0000474278520000046
encrypt the identity of oneself and the ciphertext of generation, and result is sent to N d;
4) before the key that accepts session, N dfirst verify N swhether credible; N dfirst utilize the private key of its trusted key
Figure FDA0000474278520000047
decrypt N sidentity then, N dinitiate a challenge to TNM
Figure FDA0000474278520000049
and utilize the private key of its trusted key
Figure FDA00004742785200000410
encrypted challenge and
Figure FDA00004742785200000411
finally utilize TNM trusted key public key encryption produce ciphertext and
Figure FDA00004742785200000412
and result is sent to TNM;
5) TNM decrypts N sand N didentity, verify whether both are trusted node; If so, first utilize N dthe private key of trusted key
Figure FDA00004742785200000413
encrypted challenge and N sthe PKI of trusted key
Figure FDA00004742785200000414
finally, with its trusted key private key
Figure FDA00004742785200000415
encrypt the ciphertext generating, and the result of generation is returned to N d;
6) if mutually authenticated N dthe reply key SK that accepts session, and utilize SK encrypted challenge
Figure FDA00004742785200000416
after, send to N s;
7) in order to guarantee integrality and the confidentiality of virtual machine (vm) migration process, N scalculate the cryptographic Hash of virtual machine identity, and will after virtual machine identity and cryptographic Hash encryption, pass to N d.
5. according to the clean room cloud computing data processing method described in claim 1-4 any one, it is characterized in that,
The virtual machine that TVMM operation is two types: user virtual machine and managing virtual machines; Managing virtual machines is responsible for memory space, the internal memory of configure user virtual machine, determines the strategy of employing, for user virtual machine provides high-level interface; TVMM carries out these tasks for managing virtual machines provides a base interface, and initiates integrity measurement agency the integrality of user virtual machine is verified; Integrity measurement agency intercepts and captures all processes, comprises monitor service request, system call and hardware interrupts; System call, before handing to operating system of user kernel, can first be trapped in TVMM; Now, integrity measurement agency intercepts and captures all system calls that user virtual machine is initiated, and detects context environmental and the input parameter intercepted and captured;
Clean room state in real time monitoring relates to three processes: integrity measurement result and the protection user memory of initiatively monitoring, obtain Semantic Aware;
1) initiatively monitoring makes credible VMM can keep the up-to-date view of user virtual machine memory mapping; Once memory mapping changes,, in the time that user virtual machine creates, stops or revises consumer process or kernel module, TVMM can intercept and capture dependent event, and again initiates integrity checking; Comprise: 1. intercept and capture key user's event: in order to detect context environmental and the input of user virtual machine initiated event, once event is trapped in TVMM, integrity measurement agency checks register, software stack, the software heap of user virtual machine at once; The information detecting comprises: the instruction of event type, event argument, working procedure and stack pointer; Once kernel completes event handling, integrity measurement agency will force it to be again absorbed in TVMM; For interrupting with abnormal, the event return address being stored in kernel is become an illegal address by TVMM; Once event is returned to illegal address, the protection fault of TVMM will be caused being absorbed in.2. interception system calls: adopt the system call interception in system call Interception Technology and the kernel reentry situation in the situation of many return addresses to force system call to be intercepted and captured by TVMM before being delivered to system kernel, and make TVMM intercept and capture the system call that all user virtual machine send, and the context environmental calling and input parameter, thereby realize initiatively monitoring completely;
Integrity measurement is acted on behalf of the process that intercepting system calls: 1. process a initiates a system call; Integrity measurement agency preserves desired data, and debug registers is set; 2. kernel suspends the thread moving, calling process b; Before context switch occurs, to carry out and be trapped in TVMM, integrity measurement is acted on behalf of reset debug registers; 3. process b initiates a system call; Integrity measurement agency creates new one in list, and utilizes new value that debug registers is set; 4. kernel completes the system call of process b, and a debugger is absorbed in TVMM by instruction extremely.Before TVMM returns results to calling process, integrity measurement has been acted on behalf of the process that it is detected; 5. kernel continues calling of process a; Integrity measurement agency is known context switch, and recovers the value of the debug registers keeping; 6. called, integrity measurement agency starts to measure the storage area as calling result; 7. after load page, a protection exception occurs; This process is continued until that all pages are all loaded; 8. integrity measurement agency measures region of memory, recovers original kernel output, and returns to consumer process;
2) measurement result of obtaining complete and Semantic Aware requires operating system nucleus before working procedure, to load complete program, and is verified at once the integrality of whole program by credible VMM; Interception related system calls, and forces kernel before working procedure, to load complete routine, to guarantee to obtain complete metrical information; In the time that program code and primary data piecemeal are loaded into internal memory, the continuous hash function value that requires integrity measurement agency to calculate at once whole program is determined its integrality;
3) user memory protection: in order to guarantee only to carry out the user program of measured mistake, perfect measurement agency utilizes NX-bit page protection identification technology, once make the page from being there is protective emblem carry out instruction, will cause one to be trapped in the abnormal of TVMM; TVMM is absorbed in the renewal of all User Page tables, tests the address whether it mates the page carried out of any program association that has completed measurement, thus the information integrity that checking is obtained from user's kernel; Be modified for fear of all programs of having measured, integrity measurement agency be all designated the page carried out of all measurements and can not write; Measured the page once assailant attempts to revise, one will produce, and process is trapped in to TVMM extremely; In addition, executable operations and the write operation of a page of restriction can not occur simultaneously.
6. a clean room cloud computing data handling system, is characterized in that, is made up of credible virtual monitor unit TVMM, trusted node manager TNM and trusted node TN;
Wherein, credible virtual monitor unit is that TVMM is the software between hardware platform and user virtual machine, and is positioned in secure border, is responsible for the operation of monitoring virtual machine;
Trusted node be TN be positioned at secure border with, moved the node of creditable calculation modules TPM;
Trusted node manager is that TNM is positioned at beyond secure border, is not subject to the control of CSP, can be both the software that user moves, and can be also the software that user entrusts trusted third party's operation;
TN registers to TNM, TNM safeguards a registration table, in order to management be positioned at secure border with all nodes, and by the trusted node set of the record management dynamic change in increase/delete list, thereby guarantee to only have trusted node can participate in deploying virtual machine and transition process, and guarantee the fail safe of whole deployment and transition process;
Based on the use agreement of user and CSP signing, user carries out concealed measurement by credible virtual monitor unit to service execution environment; If the integrality of execution environment is destroyed, credible virtual monitor unit provides warning to user; Described use agreement has determined that CSP provides the authority of service;
Described clean room cloud computing data handling system is according to clean room cloud computing data processing method implementation data claimed in claim 5 processing.
CN201410083476.6A 2014-03-07 2014-03-07 A kind of clean room cloud computing data processing method and system Active CN103841198B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410083476.6A CN103841198B (en) 2014-03-07 2014-03-07 A kind of clean room cloud computing data processing method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410083476.6A CN103841198B (en) 2014-03-07 2014-03-07 A kind of clean room cloud computing data processing method and system

Publications (2)

Publication Number Publication Date
CN103841198A true CN103841198A (en) 2014-06-04
CN103841198B CN103841198B (en) 2017-03-29

Family

ID=50804321

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410083476.6A Active CN103841198B (en) 2014-03-07 2014-03-07 A kind of clean room cloud computing data processing method and system

Country Status (1)

Country Link
CN (1) CN103841198B (en)

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101313071A (en) * 2005-09-26 2008-11-26 绿色细胞有限公司 Transgenic aloe plants for production of proteins and related methods
CN104252401A (en) * 2014-08-29 2014-12-31 北京阅联信息技术有限公司 Weight based device status judgment method and system thereof
CN104410636A (en) * 2014-12-01 2015-03-11 浪潮集团有限公司 Method for enhancing security of BMC/SMC in cloud computing system
CN105184164A (en) * 2015-09-08 2015-12-23 成都博元科技有限公司 Data processing method
CN105205391A (en) * 2015-10-15 2015-12-30 中南大学 Clean room real-time monitoring method based on integrity verification
WO2016026129A1 (en) * 2014-08-22 2016-02-25 Nokia Technologies Oy A security and trust framework for virtualized networks
CN105487935A (en) * 2015-12-07 2016-04-13 中南大学 Active service acquiring method based on environment perception
WO2016083925A1 (en) * 2014-11-28 2016-06-02 International Business Machines Corporation Context-based cloud security assurance system
CN105700945A (en) * 2016-01-12 2016-06-22 中南大学 Clean room environment-based safe virtual machine migration method
CN107040511A (en) * 2015-12-01 2017-08-11 法国布雷维茨公司 Location-based trust computing node in cloud computing architecture
CN107077567A (en) * 2014-10-13 2017-08-18 微软技术许可有限责任公司 Identify the secure border on computing device
CN108322306A (en) * 2018-03-17 2018-07-24 北京工业大学 A kind of cloud platform reliable journal auditing method towards secret protection based on trusted third party
CN109196840A (en) * 2016-06-12 2019-01-11 苹果公司 Modification safe condition is detected by safe range
CN109409084A (en) * 2018-09-21 2019-03-01 中国科学院信息工程研究所 A kind of chained record storage organization that detection return address is tampered
CN109495436A (en) * 2018-04-20 2019-03-19 全球能源互联网研究院有限公司 A kind of credible cloud platform gauging system and method
CN110162937A (en) * 2018-02-09 2019-08-23 黄冈职业技术学院 The method for realizing protecting computer software based on network communication
CN110752934A (en) * 2019-10-28 2020-02-04 江苏大周基业智能科技有限公司 Network identity interactive authentication method under topological structure
CN112204926A (en) * 2018-06-01 2021-01-08 三菱电机株式会社 Data communication control device, data communication control program, and vehicle control system
WO2021073376A1 (en) * 2019-10-17 2021-04-22 华为技术有限公司 Method and device for remote attestation of combined device
US11163865B2 (en) 2019-03-22 2021-11-02 Advanced New Technologies Co., Ltd. Trusted computing method, and server
US11176237B2 (en) 2016-06-12 2021-11-16 Apple Inc. Modifying security state with secured range detection
US11250118B2 (en) 2016-06-12 2022-02-15 Apple Inc. Remote interaction with a device using secure range detection
WO2023061397A1 (en) * 2021-10-12 2023-04-20 中兴通讯股份有限公司 Trusted measurement method and apparatus, computer device, and readable medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102202046A (en) * 2011-03-15 2011-09-28 北京邮电大学 Network-operating-system-oriented trusted virtual operating platform

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102202046A (en) * 2011-03-15 2011-09-28 北京邮电大学 Network-operating-system-oriented trusted virtual operating platform

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
N. SANTOS等: "Towards trusted cloud computing", 《PROCEEDINGS OF THE 2009 CONFERENCE ON HOTTOPICS IN CLOUD COMPUTING, SAN DIEGO, CALIFORNIA》 *
T. GARFINKEL等: "Terra:a virtual machine-based platform for trusted computing", 《SIGOPS OPER.SYST.REV》 *
WANG HAN-ZHANG等: "An improved trusted cloud computing platform model based on DAA and Privacy CA scheme", 《2010 INTERNATIONAL CONFERENCE ON COMPUTER APPLICATION AND SYSTEM MODELING》 *
王含章: "可信云计算平台模型的研究及其改进", 《硕士学位论文电子期刊》 *

Cited By (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101313071A (en) * 2005-09-26 2008-11-26 绿色细胞有限公司 Transgenic aloe plants for production of proteins and related methods
US10491594B2 (en) 2014-08-22 2019-11-26 Nokia Technologies Oy Security and trust framework for virtualized networks
WO2016026129A1 (en) * 2014-08-22 2016-02-25 Nokia Technologies Oy A security and trust framework for virtualized networks
CN104252401B (en) * 2014-08-29 2017-02-15 北京阅联信息技术有限公司 Weight based device status judgment method and system thereof
CN104252401A (en) * 2014-08-29 2014-12-31 北京阅联信息技术有限公司 Weight based device status judgment method and system thereof
CN107077567A (en) * 2014-10-13 2017-08-18 微软技术许可有限责任公司 Identify the secure border on computing device
WO2016083925A1 (en) * 2014-11-28 2016-06-02 International Business Machines Corporation Context-based cloud security assurance system
CN104410636A (en) * 2014-12-01 2015-03-11 浪潮集团有限公司 Method for enhancing security of BMC/SMC in cloud computing system
CN105184164B (en) * 2015-09-08 2017-11-24 成都博元科技有限公司 A kind of data processing method
CN105184164A (en) * 2015-09-08 2015-12-23 成都博元科技有限公司 Data processing method
CN105205391B (en) * 2015-10-15 2018-08-07 中南大学 A kind of clean room method for real-time monitoring based on integrity verification
CN105205391A (en) * 2015-10-15 2015-12-30 中南大学 Clean room real-time monitoring method based on integrity verification
CN107040511A (en) * 2015-12-01 2017-08-11 法国布雷维茨公司 Location-based trust computing node in cloud computing architecture
CN107040511B (en) * 2015-12-01 2020-07-03 法国布雷维茨公司 Location-based trusted computing nodes in cloud computing architecture
CN105487935A (en) * 2015-12-07 2016-04-13 中南大学 Active service acquiring method based on environment perception
CN105700945A (en) * 2016-01-12 2016-06-22 中南大学 Clean room environment-based safe virtual machine migration method
CN105700945B (en) * 2016-01-12 2019-01-11 中南大学 A kind of secure virtual machine moving method based on clean
US11176237B2 (en) 2016-06-12 2021-11-16 Apple Inc. Modifying security state with secured range detection
CN109196840A (en) * 2016-06-12 2019-01-11 苹果公司 Modification safe condition is detected by safe range
US11250118B2 (en) 2016-06-12 2022-02-15 Apple Inc. Remote interaction with a device using secure range detection
US11178127B2 (en) 2016-06-12 2021-11-16 Apple Inc. Modifying security state with secured range detection
US11582215B2 (en) 2016-06-12 2023-02-14 Apple Inc. Modifying security state with secured range detection
US11438322B2 (en) 2016-06-12 2022-09-06 Apple Inc. Modifying security state with secured range detection
CN110162937B (en) * 2018-02-09 2024-02-02 黄冈职业技术学院 Method for realizing computer software protection based on network communication
CN110162937A (en) * 2018-02-09 2019-08-23 黄冈职业技术学院 The method for realizing protecting computer software based on network communication
CN108322306B (en) * 2018-03-17 2020-11-27 北京工业大学 Privacy protection-oriented cloud platform trusted log auditing method based on trusted third party
CN108322306A (en) * 2018-03-17 2018-07-24 北京工业大学 A kind of cloud platform reliable journal auditing method towards secret protection based on trusted third party
CN109495436A (en) * 2018-04-20 2019-03-19 全球能源互联网研究院有限公司 A kind of credible cloud platform gauging system and method
CN109495436B (en) * 2018-04-20 2021-02-26 全球能源互联网研究院有限公司 Trusted cloud platform measurement system and method
CN112204926B (en) * 2018-06-01 2022-03-04 三菱电机株式会社 Data communication control device, nonvolatile memory, and vehicle control system
CN112204926A (en) * 2018-06-01 2021-01-08 三菱电机株式会社 Data communication control device, data communication control program, and vehicle control system
CN109409084B (en) * 2018-09-21 2021-06-25 中国科学院信息工程研究所 Chain type data storage structure for detecting falsified return address
CN109409084A (en) * 2018-09-21 2019-03-01 中国科学院信息工程研究所 A kind of chained record storage organization that detection return address is tampered
US11163865B2 (en) 2019-03-22 2021-11-02 Advanced New Technologies Co., Ltd. Trusted computing method, and server
WO2021073376A1 (en) * 2019-10-17 2021-04-22 华为技术有限公司 Method and device for remote attestation of combined device
CN110752934A (en) * 2019-10-28 2020-02-04 江苏大周基业智能科技有限公司 Network identity interactive authentication method under topological structure
WO2023061397A1 (en) * 2021-10-12 2023-04-20 中兴通讯股份有限公司 Trusted measurement method and apparatus, computer device, and readable medium

Also Published As

Publication number Publication date
CN103841198B (en) 2017-03-29

Similar Documents

Publication Publication Date Title
CN103841198A (en) Cleanroom cloud computing data processing method and system
Fei et al. Security vulnerabilities of SGX and countermeasures: A survey
Li et al. Exploring new opportunities to defeat low-rate DDoS attack in container-based cloud environment
WO2017210005A1 (en) Systems and methods for detecting attacks in big data systems
CN107025405A (en) The method that cloud availability and silicon are isolated is improved using safe fort
CN103530578B (en) The construction method of a kind of soft structure credible platform module STPM of Android system
CN111158906A (en) Credible cloud system for active immunization
Wang et al. Hybridchain: A novel architecture for confidentiality-preserving and performant permissioned blockchain using trusted execution environment
CN103347027A (en) Trusted network connecting method and system
Jin et al. Cloud virtual machine lifecycle security framework based on trusted computing
Chen et al. A cloud security assessment system based on classifying and grading
Yu et al. A trusted architecture for virtual machines on cloud servers with trusted platform module and certificate authority
Coppola et al. Automation for industry 4.0 by using secure lorawan edge gateways
Jin et al. Trusted attestation architecture on an infrastructure-as-a-service
Yu et al. A cloud certificate authority architecture for virtual machines with trusted platform module
Sajid et al. An analysis on host vulnerability evaluation of modern operating systems
Cai et al. OVERSEE: Outsourcing verification to enable resource sharing in edge environment
Tundalwar et al. A Taxonomy of IoT Security Attacks and Emerging Solutions
Ali et al. SRP: An efficient runtime protection framework for blockchain-based smart contracts
Zhou et al. RAitc: Securely auditing the remotely executed applications
Xie et al. A survey for Communication security of the embedded system
Xiaohong et al. Intelligent computing scheme of blockchain based on trusted execution environment
Zhang et al. Design and implementation of trustzone-based blockchain chip wallet
Hong et al. A dual‐system trusted computing node construction method based on ARM multi‐core CPU architecture
Wu et al. Security risks from vulnerabilities and backdoors

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant