CN103841198B - A kind of clean room cloud computing data processing method and system - Google Patents

A kind of clean room cloud computing data processing method and system Download PDF

Info

Publication number
CN103841198B
CN103841198B CN201410083476.6A CN201410083476A CN103841198B CN 103841198 B CN103841198 B CN 103841198B CN 201410083476 A CN201410083476 A CN 201410083476A CN 103841198 B CN103841198 B CN 103841198B
Authority
CN
China
Prior art keywords
virtual machine
trusted
node
credible
user
Prior art date
Application number
CN201410083476.6A
Other languages
Chinese (zh)
Other versions
CN103841198A (en
Inventor
王国军
刘琴
刘湘勇
齐芳
Original Assignee
中南大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中南大学 filed Critical 中南大学
Priority to CN201410083476.6A priority Critical patent/CN103841198B/en
Publication of CN103841198A publication Critical patent/CN103841198A/en
Application granted granted Critical
Publication of CN103841198B publication Critical patent/CN103841198B/en

Links

Abstract

The invention discloses a kind of clean room cloud computing data processing method and system, with clean room cloud computing model as framework, with clean room state security framework constructing technology, clean room state safety transfer technology and clean room state Real-time Monitor Technique as technological means;Described clean room cloud computing model is made up of credible virtual monitor unit (TVMM), trusted node manager (TNM) and trusted node (TN);If the integrity of performing environment is destroyed, credible virtual monitor unit gives the user warning;The clean room cloud computing data processing method and system have the advantages that safe.

Description

A kind of clean room cloud computing data processing method and system

Technical field

The present invention relates to a kind of clean room cloud computing data processing method and system.

Background technology

Cloud computing technology is one of computer realm topic the most popular in recent years, is becoming following computing technique and is sending out One of of paramount importance trend of exhibition.The information of internationally famous science shop Gartner tissues synthesis each side per annual meeting To issue IT technology trends, and choose the ten big key technologies that next three years most merit attention.This is organized in 2014 In the report of year newest issue, cloud computing technology remains one of ten great strategy technological trends.In addition, market research agency The research report of the newest issues of IDC claims that cloud computing technology produces far-reaching influence to IT market, and it not only can be confession Answer business to create many new chances, and promote traditional IT industry that the change of essence occurs.IDC predictions, cloud meter in 2014 The consumption by 1 $ 100 billion is driven is calculated, increased by 25% than 2013;And the underlying hardware construction such as China's cloud computing center in 2014 Can peak, cloud computing architecture market in general scale will be more than 2,000,000,000 dollars to 2015.

Cloud computing technology has become one of guidance quality index of a national industry and information security.In September, 2009 is beautiful Government of state announces a long-term cloud computing policy.In " digital Britain's report " that Britain was issued in 2009, appeal to strengthen The cloud computing deployment of government department.Korean government determines, before 2014, puts into huge fund to field of cloud calculation, strives for making Korea Cloud computing market scale expands 4 times up till now.China has begun to formulate cloud computing national level strategical planning.2010 10 Month, Ministry of Industry and Information and the Committee of Development and Reform combine and issue《The notice of pilot demonstration work is innovated with regard to carrying out cloud computing service》, clearly exist Cloud computing pilot is carried out in Beijing, Shanghai, Shenzhen, Hangzhou, 5, Wuxi city.State Council《With regard to accelerating to cultivate and development strategy The decision of new industry》In explicitly point out:Greatly develop including energy-conserving and environment-protective, generation information technology, biology, high-end equipment The emerging strategic industries such as manufacture, new forms of energy, new material and new-energy automobile.Cloud computing just belongs to wherein generation information technology Category.

With the development of cloud computing technology, the safety problem in cloud computing is increasingly closed by industrial circle and academia Note.Security expert generally believes that cloud computing technology is also very immature, and information security issue has had a strong impact on deployment cloud computing service Paces.Gartner tissues were once pointed out:Although cloud computing has very wide application prospect and huge commercial value, Be, for the user serviced using this, they should be appreciated that cloud computing service exist superuser access, Examination property, Data Position, data isolation, data recovery, investigation are supported, and seven big potential security risk of long term survival [3].In fact, in these security risks, some risks have occurred and that.For example, Google companies reveal privacy of user event, And the service disruption event of Amazon EC2, Google Apps, Windows Azure.According to the cloud computing service that IDC is issued Investigation report shows that Services-Security, stability and performance are the three big market challenges [4] that cloud computing service faces.

Information security concerns the various aspects such as political, economic and cultural of country.China exists《2006-2020 states letter from home Breathization development strategy》In explicitly point out the critical role of information security technology, and national information safety guarantee will be greatly improved Strategic objective of the level as the year two thousand twenty China Informatization Development.Cloud computing technology is used as promoting scientific and technological progress and social development A kind of emerging computation model, it has also become the focus of international competition and commanding elevation, becomes the national overall national strength of measurement one and section Learn one of important indicator of Research Ability.Realize that safe cloud computing not only can promote China's politics, economic, science and technology and country's peace It is complete to build, and, with the development of cloud computing technology, the technology has for enhancing china's overall national strength and sci-tech innovation ability Highly important meaning.

Therefore, it is necessary to design a kind of safety higher data processing method and system for cloud computing.

The content of the invention

The technical problem to be solved is to provide a kind of clean room cloud computing data processing method and system, the clean room Cloud computing data processing method and system have the advantages that safe.

The technical solution of invention is as follows:

A kind of clean room cloud computing data processing method, with clean room cloud computing model as framework;

Described clean room cloud computing model is by credible virtual monitor unit (Trusted Virtual Machine Monitor, TVMM), trusted node manager (Trusted Node Manager, TNM) and trusted node (Trusted Node, TN) constitute;

Wherein, credible virtual monitor unit TVMM is the software being located between hardware platform and user virtual machine 【The realization of TVMM refers to clean room state security framework constructing technology】, and within being located at secure border, it is responsible for the fortune of monitoring virtual machine OK;【Virtual machine refers to the computer system with complete hardware system function of simulation, is that CSP is supplied to user as service , for user, just look like the same using actual computer.】

Trusted node TN is within secure border, has run credible platform module (Trusted Platform Module, TPM) node;

Trusted node manager TNM is located at beyond secure border, is not controlled by CSP, is the software of user's operation, or The software of user's commission trusted third party operation;

TN is registered to TNM, and TNM safeguards a registration table, to manage all nodes within secure border, and By the trusted node set for increasing/deleting the record management dynamic change in table, so as to ensure that only trusted node can be joined With in deploying virtual machine and transition process, and ensure whole deployment and the safety of transition process;

Based on the use agreement that user is signed with CSP, user is entered to service execution scenarios by credible virtual monitor unit The concealed measurement [measuring method is shown in clean room state security framework constructing technology] of row;If the integrity of performing environment is destroyed, Credible virtual monitor unit gives the user warning;

Described use agreement determines the authority that CSP provides service.

The situation for violating described use agreement includes spying on, distort and destroy service execution scenarios, namely user is virtual Machine.

Credible platform module (TPM) chip be embedded in the mainboard of trusted node, to provide the root of trust of trust computing; There are a series of platform configuration registers (Platform Configuration Register, PCR) in TPM;PCR is the survey of TPM Amount trusts rooter, the input by concealed monitoring (eavesdropping) between external equipment and CPU input/output control centre/defeated Enter bus, obtain the measurement result of the software execution environment from external equipment to platform, and be recorded in impermanency and deposit In reservoir;User obtains the measurement result in multiple PCR by remote authentication mode, i.e. " challenge-reply " mechanism, and will connect The measurement list for receiving is compared with expected value, so as to judge whether VMM is deployed in the Cloud Server that embedded in credible platform module On, and judge whether the start-up course of VMM is safe;

In remote certification process, the true context environmental of acquisition VMM, including the data and code of VMM, and CPU Integrity state;Authentication result is transferred safely to remote authentication side, and is not tampered with and fakes;

Trusted node be equipped with can Remote triggering system management interrupt (System Management Interrupt, SMI band channel (for example, IBM BladerCenter)), using SMM (System Management Model, SMM), IPMI (Intelligent Platform Management Interface, IPMI), And Baseboard Management Controller (Baseboard Management Controller, BMC), side of the user by remote authentication Formula carries out hidden close detection to the dynamic integrity of the running of VMM, and ensures that proof procedure is not disrupted or distorts, and obtains Obtain measurement result truly, credible, complete.

The detection of integrity during the operation of TVMM is performed by Dynamics Manager (Dynamic Management, DM);DM by Two components are constituted:System management interrupt processor (System in system management random access memory Management Random Access Memory, SMRAM), and positioned at TVMM integrity measurements act on behalf of;User utilizes base In IPMI and BMC band channels, realize examining the dynamic integrity of VMM runnings in the way of far call DM Survey.

In remote certification process:

1. realize the measurement of secret:May be cancelled or be re-routed by the VMM of malice by the SMI that BMC is produced first;Such as Fruit SMI is revoked, then remote entity will be unable to measurement result is received in finite time, so as to infer that SMI is removed by VMM malice Pin;Secondly, VMM has the ability of triggering SMI, can be called by pseudo-measurement;Pass through to distinguish Band channel is called to the puppet with VMM of calling of SMI, is stored using a series of status registers that can not be distorted by software The type that SMI is called, and protected recording the interrupt type that each universal input port produces using universal input port routing table SMI could be triggered in the universal input port that card is only connected with BMC;

2. ensure the integrity of DM components:Firstly, it is necessary to realize the credible startup of SMI handler, the core from BIOS Completely self-examination and the inspection of executable code of credible measurement root (Core Root of Trust Measurement, CRTM) Beginning is looked into, all component is all measured in start-up course finishes;Secondly, need to ensure that SMI handler is calling measurement generation Before reason, first computation and measurement acts on behalf of the cryptographic Hash of correlative code, with the integrity that confirmatory measurement is acted on behalf of;

3. ensure that proof procedure is not disrupted or distorts【Proof procedure is not once allowing for being interrupted or usurp Change, it is ensured that the seriality of proof procedure, that is to say, that ensure that original checking that this checking is always initially initiated.】: In order to ensure proof procedure once cannot be interrupted or distort, it is ensured that once there occurs interruption in measurement implementation procedure Or it is abnormal, measurement controlling stream will directly go to SMI handler;

4. ensure the integrity of measuring environment information:Acquisition VMM is complete, real context environmental, including the data of VMM And code, when by SMI interrupt, using back off technique, by injecting an instruction for causing virtual machine unconditionally to exit, force CPU core is transferred to VMM from user virtual machine;Back off procedure is as follows:Keep the value in all depositors, and next instruction And address;One privileged instruction of injection replaces next instruction;Once an event is counted, it is excessive to arrange Performance register Go out;Modification Advanced Programmable Interrupt Controllers APICs (Local Advanced Programmable Interrupt Controller, LAPIC) so that Performance register overflows causes a SMI interrupt;

Model ensures the verity of result using remote authentication mode:In system starting process, it is that platform produces one Public/private keys pair, before SMRAM is pinned, private key are stored in SMRAM, and public key are stored in the static PCR of TPM In;In order to obtain the result of measurement process, long-distance user sends a request and a random number and gives checking agency;Checking agency Two different signature values are produced based on random number by obtaining:First is static certification output, by TPM private key signatures;The Two is the result for measuring, by the private key signature of SMI handler;The verity of result is may determine that by comparing signature then.【Such as Fruit signature can by the checking of public key, then show signature be it is legal effectively, namely measurement result is real.】

TNM safeguards a trusted node aggregate list, node of the record within secure border, the public back of the body of the node Book key and desired measurement list, and announce the endorsement key public key of oneself, desired measurement list and credible close Key public key;By the integrity of remote authentication confirmatory measurement list the credible of platform is mutually authenticated between TNM and trusted node Property;In transition process, the credibility of originating node requests TNM verifying purpose nodes;If source node is all located at destination node In trusted node set, TNM allows two nodes directly to be communicated;Consult a session between source node and destination node close Key, the relevant information in encrypted virtual machine transition process;In order to ensure integrity and the safety of virtual machine (vm) migration process, source section Point calculates the cryptographic Hash of virtual identity, and will pass to destination node after virtual identity and cryptographic Hash encryption;

Concrete credible virtual machine transition process is as follows:

1)NsRequest TNM checking NdCredibility:NsA challenge initiated to TNM is selected firstThen it is sharp With the private key of its trusted keyEncrypted challenge and NdIdentityFinally by produce ciphertext andWith TNM's The public key of trusted keyEncryption, and the result of generation is sent to into TNM;

2) credibility of TNM checking source nodes and destination node:First, private keys of the TNM using its trusted keySolution Close message, and verify NsIdentity whether be located in trusted node set;If NsIt is trusted node, then using NsIt is credible The public key of keyDecryptionAnd challenge, and verify NdIdentity whether be located in trusted node set;If NdIt is Trusted node, then using NsTrusted key public keyEncrypted challenge and NdTrusted key public keyFinally, The ciphertext of generation is encrypted again with the private key of its trusted key, and returns result to Ns

3)NsWith NdBetween consult a session key SK, to ensure the state confidentiality in VM transition processes, NsDecryption disappears N can be obtained after breathdTrusted key public keyNsA session key SK is selected first, and to NdInitiate one ChallengeThen, using the private key of its trusted keyEncryption SK andFinally, using NdIt is credible The public key of keyThe identity of encryption oneself and the ciphertext of generation, and send result to Nd

4) before session key is received, NdN is verified firstsIt is whether credible;NdFirst with the private key of its trusted keySolution It is close go out NsIdentityThen, NdA challenge is initiated to TNMAnd using the private key of its trusted keyEncrypted challenge andFinally using TNM trusted key public key encryption produce ciphertext andAnd by result It is sent to TNM;

5) TNM decrypts NsAnd NdIdentity, checking both whether be trusted node;If it is, first with NdIt is credible The private key of keyEncrypted challenge and NsTrusted key public keyFinally, with its trusted key private keyEncryption The ciphertext of generation, and the result of generation is returned to into Nd

If 6) be mutually authenticated completed, NdReply receives session key SK, and utilizes SK encrypted challengesAfterwards, It is sent to Ns

7) in order to ensure the integrity and confidentiality of virtual machine (vm) migration process, NsThe cryptographic Hash of virtual identity is calculated, and And N will be passed to after virtual identity and cryptographic Hash encryptiond

TVMM runs two kinds of virtual machine:User virtual machine and management virtual machine;Management virtual machine is responsible for configuration and is used The memory space of family virtual machine, internal memory, determine the strategy for adopting, provide high-level interface for user virtual machine;TVMM is pipe Reason virtual machine provides a base interface【Base interface refers to the API of software, encapsulates some functional modules of bottom, supplies Call on upper strata.】To perform these tasks, and initiate integrity measurement agency the integrity of user virtual machine is verified;It is complete Whole property measurement agent intercepts and captures all processes, including monitoring service request, system are called and hardware interrupts;System is invoked to be handed to Before operating system of user kernel, TVMM can be first trapped in;Now, the institute that integrity measurement agent intercepts user virtual machine is initiated There is system to call, detect the context environmental and |input paramete intercepted and captured;

Clean room state monitor in real time is related to three processes:Actively monitoring, obtain Semantic Aware integrity measurement and Protection user memory;

1) actively monitoring enables TVMM to keep the newest view of user virtual machine memory mapping;Once memory mapping changes Become, i.e., when user virtual machine creates, terminates or change consumer process or kernel module, TVMM can intercept and capture dependent event, And initiate again integrity checking;Including:1. intercept and capture key user's event:In order to detect the upper of user virtual machine initiated event Hereafter environment and input, event are once trapped in TVMM, integrity measurement agency be immediately checked for user virtual machine depositor, Software stack, software heap;The information of detection includes:Event type, event argument, the instruction of operation program and stack pointer;Once it is interior Core completes event handling, and integrity measurement agency will force which to be absorbed in TVMM again;For interruption and exception, TVMM will be stored in Event return address in kernel becomes an illegal address;Once event returns to illegal address, will cause to be absorbed in the guarantor of TVMM Shield failure.2. interception system is called:In the case of calling Interception Technology and kernel to reentry using the system in the case of many return addresses System call interception to force system to be invoked at before being delivered to system kernel to be intercepted and captured by TVMM, and it is all that TVMM is intercepted and captured The system that user virtual machine sends is called, and the context environmental that calls and |input paramete, so as to realize completely actively supervising Control;

The process that integrity measurement agent intercepts system is called:1. one system of process a initiation is called;Integrity measurement generation Reason preserves desired data, and arranges debugging depositor;2. kernel suspends the thread being currently running, calling process b;In context Before conversion occurs, execution is trapped in TVMM, integrity measurement agency's reset debugging depositor;3. process b initiate one be System is called;Integrity measurement agency creates new one in list, and utilizes new value to arrange debugging depositor;4. kernel The system for completing process b is called, and instruction is absorbed in TVMM by a debugger extremely.TVMM return result to calling process it Before, integrity measurement agency completes the process detected to which;5. kernel continues calling for process a;Integrity measurement is acted on behalf of Know context switch, and the value of the debugging depositor for recovering to keep;6. call and complete, integrity measurement agency starts measurement As the memory area of call result;7., after loading page, a protection exception occurs;This process is continued until all The page is all loaded;8. integrity measurement agency measurement region of memory, recovers original kernel output, and returns to user to enter Journey;

2) measurement result for obtaining complete and Semantic Aware requires that operating system nucleus had been loaded before operation program Whole program, and verified the integrity of whole program by TVMM at once;Intercept related system to call, and kernel is forced in operation Complete routine is loaded before program, to guarantee to obtain complete metrical information;When program code and primary data piecemeal add When being downloaded to internal memory, it is desirable to which integrity measurement agency calculate the consistent hashing function value of whole program to determine its integrity at once;

3) user memory protection:In order to ensure to only carry out the user program of measured mistake, perfect measurement agency is using NX- ratios Special page protection identification technology so that once from by the page execute instruction with protective emblem, it will cause one to be trapped in The exception of TVMM;TVMM is absorbed in the renewal of all User Page tables, tests whether which matches any program pass for completing and measuring The address of the executable page of connection, so as to verify from user's kernel the integrity of the information for obtaining;Survey in order to avoid all The program measured is changed, and all executable pages for measuring all are designated not writeable by integrity measurement agency;Once attack The person of hitting attempts modification and has measured the page, and an exception will be produced, and process is trapped in TVMM;In addition, limiting a page Execution operation can not occur simultaneously with write operation.

A kind of clean room cloud computing data handling system, by credible virtual monitor unit TVMM, trusted node manager TNM with And trusted node TN is constituted;

Wherein, credible virtual monitor unit is that TVMM is one and is located at software between hardware platform and user virtual machine, And within being located at secure border, it is responsible for the operation of monitoring virtual machine;

Trusted node is that TN is within secure border, has run the node of credible platform module TPM;

Trusted node manager is that TNM is located at beyond secure border, is not controlled by CSP, can both be user's operation Software, or the software of user's commission trusted third party operation;

TN is registered to TNM, and TNM safeguards a registration table, to manage all nodes within secure border, and By the trusted node set for increasing/deleting the record management dynamic change in table, so as to ensure that only trusted node can be joined With in deploying virtual machine and transition process, and ensure whole deployment and the safety of transition process;

Based on the use agreement that user is signed with CSP, user is entered to service execution scenarios by credible virtual monitor unit The concealed measurement of row;If the integrity of performing environment is destroyed, credible virtual monitor unit gives the user warning;It is described Use agreement determine CSP provide service authority;

Described clean room cloud computing data handling system implements data according to aforesaid clean room cloud computing data processing method Process.

Claims (4)

1. a kind of clean room cloud computing data processing method, it is characterised in that with clean room cloud computing model as framework;
Described clean room cloud computing model is by credible virtual monitor unit TVMM, trusted node manager TNM and trusted node TN is constituted;
Wherein, credible virtual monitor unit TVMM is the software being located between hardware platform and user virtual machine, and is located at Within secure border, it is responsible for the operation of monitoring virtual machine;
Trusted node TN is within secure border, has run the node of credible platform module TPM;
Trusted node manager TNM is located at beyond secure border, is not controlled by cloud service provider CSP, is user's operation Software, or the software of user's commission trusted third party operation;
Trusted node TN is registered to trusted node manager TNM, and trusted node manager TNM safeguards a registration table, to manage All nodes of the reason within secure border, and by increasing/deleting the credible section of the record management dynamic change in table Point set, so as to ensure that only trusted node can be participated in deploying virtual machine and transition process, and ensure whole deployment and The safety of transition process;
Based on the use agreement that user is signed with cloud service provider CSP, user is held to service by credible virtual monitor unit Row environment carries out the measurement of secret;If the integrity of performing environment is destroyed, credible virtual monitor unit gives the user Report to the police;
Described use agreement determines the authority that cloud service provider CSP provides service;
The situation for violating described use agreement includes spying on, distort and destroying service execution scenarios, namely user virtual machine; The mainboard of trusted node embedded in credible platform module chip, to provide the root of trust of trust computing;In credible platform module TPM There are a series of platform configuration registers, PCR;PCR is that rooter is trusted in the measurement of credible platform module TPM, by concealed monitoring Input/input bus between external equipment and CPU input/output control centre, obtains the software from external equipment to platform The measurement result of performing environment, and be recorded in volatile memory;User " is chosen by remote authentication mode War-reply " mechanism obtains the measurement result in multiple PCR, and the measurement list for receiving is compared with expected value, so as to sentence Whether disconnected virtual machine monitor VMM is deployed on the Cloud Server that embedded in credible platform module, and judges virtual machine monitor Whether the start-up course of VMM is safe;
In remote certification process, the true context environmental of acquisition virtual machine monitor VMM, including virtual machine monitor VMM Data and code, and the integrity state of CPU;Authentication result is transferred safely to remote authentication side, and be not tampered with and Fake;
The band channel for being capable of Remote triggering system management interrupt is equipped with trusted node, using SMM, intelligence Energy platform management interface and Baseboard Management Controller, fortune of the user by way of remote authentication to virtual machine monitor VMM The dynamic integrity of row process carries out hidden close detection, and ensures that proof procedure is not disrupted or distorts, obtain it is true, can Letter, complete measurement result;
The detection of integrity during the operation of credible virtual machine monitor TVMM is performed by Dynamics Manager;Dynamics Manager DM is by two Individual component is constituted:System management interrupt processor in system management random access memory and it is located at credible virtual Machine monitor TVMM integrity measurements are acted on behalf of;User is using based on IPMI IPMI and Baseboard Management Controller BMC band channels, realize the dynamic to virtual machine monitor VMM runnings in the way of far call Dynamics Manager DM Integrity is detected;
In remote certification process:
1. realize the measurement of secret:System management interrupt SMI for being produced by Baseboard Management Controller BMC first may be by malice Virtual machine monitor VMM cancels or re-routes;If system management interrupt SMI is revoked, remote entity will be unable to Measurement result is received in finite time, so as to inference system management interrupt SMI is cancelled by virtual machine monitor VMM malice;Secondly, Virtual machine monitor VMM has the ability of triggering system management interrupt SMI, can call to conceal primal system by pseudo-measurement Management interrupt SMI is called;In order to distinguish the calling and virtual machine monitor to system management interrupt SMI by band channel The puppet of VMM is called, and interrupts class that SMI call come system management memory using a series of status registers that can not be distorted by software Type, and using universal input port routing table recording the interrupt type that each universal input port produces, it is ensured that only the bottom of with System management interrupt SMI could be triggered in the universal input port that board management controller BMC is connected;
2. ensure the integrity of Dynamics Manager DM components:Firstly, it is necessary to realize that the credible of system management interrupt SMI handler is opened It is dynamic, from the beginning of the complete self-examination of the credible measurement root of the core in BIOS and the inspection of executable code, until start-up course Middle all component is all measured to be finished;Secondly, needed to ensure system management interrupt SMI handler before measurement agent is called, First computation and measurement acts on behalf of the cryptographic Hash of correlative code, with the integrity that confirmatory measurement is acted on behalf of;
3. ensure that proof procedure is not disrupted or distorts:In order to ensure proof procedure once cannot be interrupted or usurp Change, it is ensured that once there occurs interruption or abnormal in measurement implementation procedure, measurement controlling stream will directly go to system management interrupt SMI Processor;
4. ensure the integrity of measuring environment information:Acquisition virtual machine monitor VMM is complete, real context environmental, including The data and code of virtual machine monitor VMM, when by system management interrupt SMI interrupt, using back off technique, by injection one The individual instruction for causing virtual machine unconditionally to exit, forces CPU core to be transferred to virtual machine monitor VMM from user virtual machine;Return Move back process as follows:Keep the value in all depositors, and next instruction and address;One privileged instruction of injection replaces next Bar is instructed;Once an event is counted, Performance register is set to overflow;Modification Advanced Programmable Interrupt Controllers APICs so that Performance register overflows causes a system management interrupt SMI interrupt;
Model ensures the verity of result using remote authentication mode:In system starting process, be platform produce public key/ Private key pair, before SMRAM is pinned, private key is stored in SMRAM, and public key is stored in credible platform module TPM's In static PCR;In order to obtain the result of measurement process, long-distance user sends a request and a random number and gives checking agency; Checking agency will obtain and two different signature values produced based on random number:First is static certification output, by credible flat Platform module TPM private key signature;Second is the result for measuring, by the private key signature of system management interrupt SMI handler;By than Relatively signature then may determine that the verity of result.
2. clean room cloud computing data processing method according to claim 1, it is characterised in that
Trusted node manager TNM safeguards a trusted node aggregate list, node of the record within secure border, the section Point public endorsement key and desired measurement list, and announce oneself endorsement key public key, desired measurement list, And trusted key public key;By the complete of remote authentication confirmatory measurement list between trusted node manager TNM and trusted node Whole property is being mutually authenticated the credibility of platform;In transition process, originating node requests trusted node manager TNM verifying purpose sections The credibility of point;If source node is all located in trusted node set with destination node, trusted node manager TNM allows two Node is directly communicated;Consult a session key between source node and destination node, in encrypted virtual machine transition process Relevant information;In order to ensure integrity and the safety of virtual machine (vm) migration process, source node calculates the cryptographic Hash of virtual identity, And destination node will be passed to after virtual identity and cryptographic Hash encryption;
Concrete credible virtual machine transition process is as follows:
1) source node NsRequest trusted node manager TNM verifying purpose node NdCredibility:Source node NsSelect one first To the challenge that trusted node manager TNM is initiatedThen using the private key of its trusted keyEncrypted challenge and Destination node NdDestination node identityFinally by the ciphertext for producing and source node identityManaged with trusted node The public key of the trusted key of device TNMEncryption, and the result of generation is sent to into trusted node manager TNM;
2) credibility of trusted node manager TNM checking source nodes and destination node:First, trusted node manager TNM is sharp With the private key of its trusted keyDecryption message, and verify source node NsIdentity whether be located in trusted node set; If source node NsIt is trusted node, then using source node NsTrusted key public keyDecryption destination node identity And challenge, and verifying purpose node NdIdentity whether be located in trusted node set;If destination node NdIt is credible section Point, then using source node NsTrusted key public keyEncrypted challenge and destination node NdTrusted key public keyFinally, the ciphertext of generation is encrypted again with the private key of its trusted key, and return result to source node Ns
3) source node NsWith destination node NdBetween consult a session key SK, with ensure the state in VM transition processes secret Property, source node NsDestination node N can be obtained after decryption messagedTrusted key public keySource node NsSelect first One session key SK, and to destination node NdInitiate a challengeThen, using the private key of its trusted keyEncrypted session key SK and challengeFinally, using destination node NdTrusted key public keyEncryption The identity of oneself and the ciphertext of generation, and send result to destination node Nd
4) before session key is received, destination node NdSource node N is verified firstsIt is whether credible;Destination node NdCan first with which The private key of letter keyDecrypt source node NsSource node identityThen, destination node NdManage to trusted node Device TNM initiates a challengeAnd using the private key of its trusted keyEncrypted challenge andLast profit The ciphertext produced with the public key encryption of the trusted key of trusted node manager TNM and destination node identityAnd will knot Fruit is sent to trusted node manager TNM;
5) trusted node manager TNM decrypts source node NsWith destination node NdIdentity, checking both whether be credible section Point;If it is, first with destination node NdTrusted key private keyEncrypted challenge and source node NsTrusted key Public keyFinally, with its trusted key private keyThe ciphertext that encryption is generated, and the result of generation is returned to into mesh Node Nd
If 6) be mutually authenticated completed, destination node NdReply receives session key SK, and utilizes SK encrypted challengesAfterwards, it is sent to source node Ns
7) in order to ensure the integrity and confidentiality of virtual machine (vm) migration process, source node NsThe cryptographic Hash of virtual identity is calculated, and And destination node N will be passed to after virtual identity and cryptographic Hash encryptiond
3. the clean room cloud computing data processing method according to any one of claim 1-2, it is characterised in that
Trusted node manager TVMM runs two kinds of virtual machine:User virtual machine and management virtual machine;Management virtual machine Be responsible for memory space, the internal memory of configuration user virtual machine, determine the strategy for adopting, high-level connecing is provided for user virtual machine Mouthful;Trusted node manager TVMM provides a base interface to perform these tasks to manage virtual machine, and initiates integrity Measurement agent is verified to the integrity of user virtual machine;The all processes of integrity measurement agent intercepts, including monitoring service Request, system are called and hardware interrupts;System is invoked at before handing to operating system of user kernel, can first be trapped in credible section Point manager TVMM;Now, all systems that integrity measurement agent intercepts user virtual machine is initiated are called, and it is upper that detection is intercepted and captured Hereafter environment and |input paramete;
Clean room state monitor in real time is related to three processes:Actively monitoring, the integrity measurement for obtaining Semantic Aware and protection User memory;
1) actively monitoring enables credible virtual machine monitor TVMM to keep the newest view of user virtual machine memory mapping;One Denier memory mapping changes, i.e., when user virtual machine creates, terminates or change consumer process or kernel module, credible virtual machine Monitor TVMM can intercept and capture dependent event, and initiate again integrity checking;Including:1. intercept and capture key user's event:For The context environmental of detection user virtual machine initiated event and input, event are once trapped in credible virtual machine monitor TVMM, integrity measurement agency are immediately checked for the depositor of user virtual machine, software stack, software heap;The information of detection includes:Thing Part type, event argument, the instruction of operation program and stack pointer;Once kernel completes event handling, integrity measurement agency will Which is forced to be absorbed in credible virtual machine monitor TVMM again;For interruption and exception, credible virtual machine monitor TVMM will be stored Event return address in kernel becomes an illegal address;Once event returns to illegal address, will cause to be absorbed in credible void The protection failure of plan machine monitor TVMM;2. interception system is called:Interception skill is called using the system in the case of many return addresses System in the case of art and kernel are reentried calls interception to force system to be invoked at before being delivered to system kernel by credible virtual machine Monitor TVMM is intercepted and captured, and the system that credible virtual machine monitor TVMM intercepts and captures all user virtual machines transmissions is called, And the context environmental that calls and |input paramete, so as to realize completely actively monitoring;
The process that integrity measurement agent intercepts system is called:1. one system of process a initiation is called;Integrity measurement agency protect Desired data is deposited, and debugging depositor is set;2. kernel suspends the thread being currently running, calling process b;In context switch Before generation, execution is trapped in credible virtual machine monitor TVMM, and integrity measurement agency resets and debugs depositor;3. process B initiates a system and calls;Integrity measurement agency creates new one in list, and is posted arranging debugging using new value Storage;4. kernel completes the system of process b and calls, and instruction is absorbed in credible virtual machine monitor TVMM by a debugger extremely; Before credible virtual machine monitor TVMM returns result to calling process, integrity measurement agency completes what which was detected Process;5. kernel continues calling for process a;Integrity measurement agency knows context switch, and the debugging for recovering to keep is posted The value of storage;6. call and complete, integrity measurement agency starts to measure the memory area as call result;7. loading page it Afterwards, a protection exception occurs;This process is continued until that all pages are all loaded;8. in integrity measurement agency measurement Region is deposited, is recovered original kernel output, and is returned to consumer process;
2) obtaining the measurement result of complete and Semantic Aware, to require that operating system nucleus was loaded before operation program complete Program, and verified the integrity of whole program by credible virtual machine monitor TVMM at once;Intercept related system to call, and by force Urgent kernel loaded complete routine before operation program, to guarantee to obtain complete metrical information;When program code and just When beginning deblocking is loaded into internal memory, it is desirable to which integrity measurement agency calculates the consistent hashing function value of whole program at once and comes true Fixed its integrity;
3) user memory protection:In order to ensure to only carry out the user program of measured mistake, perfect measurement agency is using NX- bit-pages Face protect identification technology so that once from by the page execute instruction with protective emblem, it will cause one be trapped in it is credible The exception of virtual machine monitor TVMM;Credible virtual machine monitor TVMM is absorbed in the renewal of all User Page tables, and testing which is The address of the executable page of any program association for completing to measure of no matching, so as to verify from user's kernel the information for obtaining Integrity;In order to avoid all programs for having measured are changed, integrity measurement agency by it is all measured hold The row page is all designated not writeable;Once attacker attempts to change has measured the page, an exception will be produced, and process is fallen into Enter to credible virtual machine monitor TVMM;In addition, the execution operation for limiting a page can not be occurred with write operation simultaneously.
4. a kind of clean room cloud computing data handling system, it is characterised in that by credible virtual monitor unit TVMM, trusted node pipe Reason device TNM and trusted node TN are constituted;
Wherein, credible virtual monitor unit is that TVMM is one and is located at software between hardware platform and user virtual machine, and position Within secure border, it is responsible for the operation of monitoring virtual machine;
Trusted node is that TN is within secure border, has run the node of credible platform module TPM;
Trusted node manager is that TNM is located at beyond secure border, is not controlled by cloud service provider CSP, can both be to use The software of family operation, or the software of user's commission trusted third party operation;
Trusted node TN is registered to trusted node manager TNM, and TNM safeguards a registration table, to manage positioned at secure border Within all nodes, and by increase/delete table in record management dynamic change trusted node set, so as to ensure Only trusted node can be participated in deploying virtual machine and transition process, and ensures the safety of whole deployment and transition process Property;
Based on the use agreement that user is signed with cloud service provider CSP, user is held to service by credible virtual monitor unit Row environment carries out the measurement of secret;If the integrity of performing environment is destroyed, credible virtual monitor unit gives the user Report to the police;
Described use agreement determines the authority that cloud service provider CSP provides service;
Described clean room cloud computing data handling system is implemented according to the clean room cloud computing data processing method described in claim 3 Data processing.
CN201410083476.6A 2014-03-07 2014-03-07 A kind of clean room cloud computing data processing method and system CN103841198B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410083476.6A CN103841198B (en) 2014-03-07 2014-03-07 A kind of clean room cloud computing data processing method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410083476.6A CN103841198B (en) 2014-03-07 2014-03-07 A kind of clean room cloud computing data processing method and system

Publications (2)

Publication Number Publication Date
CN103841198A CN103841198A (en) 2014-06-04
CN103841198B true CN103841198B (en) 2017-03-29

Family

ID=50804321

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410083476.6A CN103841198B (en) 2014-03-07 2014-03-07 A kind of clean room cloud computing data processing method and system

Country Status (1)

Country Link
CN (1) CN103841198B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1931792B1 (en) * 2005-09-26 2010-07-14 TheGreenCell, Inc. Transgenic aloe plants for production of proteins and related methods
CN106575323B (en) * 2014-08-22 2019-12-17 诺基亚技术有限公司 Security and trust framework for virtualized networks
CN104252401B (en) * 2014-08-29 2017-02-15 北京阅联信息技术有限公司 Weight based device status judgment method and system thereof
US9584317B2 (en) * 2014-10-13 2017-02-28 Microsoft Technology Licensing, Llc Identifying security boundaries on computing devices
US9876822B2 (en) * 2014-11-28 2018-01-23 International Business Machines Corporation Administration of a context-based cloud security assurance system
CN104410636A (en) * 2014-12-01 2015-03-11 浪潮集团有限公司 Method for enhancing security of BMC/SMC in cloud computing system
CN105184164B (en) * 2015-09-08 2017-11-24 成都博元科技有限公司 A kind of data processing method
CN105205391B (en) * 2015-10-15 2018-08-07 中南大学 A kind of clean room method for real-time monitoring based on integrity verification
EP3176990A1 (en) * 2015-12-01 2017-06-07 France Brevets Location based trusted computing nodes in a cloud computing architecture
CN105487935B (en) * 2015-12-07 2017-06-23 中南大学 A kind of acquisition methods of taking the initiative in offering a hand based on environment sensing
CN105700945B (en) * 2016-01-12 2019-01-11 中南大学 A kind of secure virtual machine moving method based on clean

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102202046A (en) * 2011-03-15 2011-09-28 北京邮电大学 Network-operating-system-oriented trusted virtual operating platform

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102202046A (en) * 2011-03-15 2011-09-28 北京邮电大学 Network-operating-system-oriented trusted virtual operating platform

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
An improved trusted cloud computing platform model based on DAA and Privacy CA scheme;Wang Han-zhang等;《2010 International Conference on Computer Application and System Modeling》;20101024;第13卷;V13-33页第I节 *
Terra:a virtual machine-based platform for trusted computing;T. Garfinkel等;《SIGOPS Oper.Syst.REV》;20031022;第37卷;第193-206页 *
Towards trusted cloud computing;N. Santos等;《Proceedings of the 2009 conference on Hottopics in cloud computing, San Diego, California》;20091231;全文 *
可信云计算平台模型的研究及其改进;王含章;《硕士学位论文电子期刊》;20111015;第2-9页,图1.3、图1.4 *

Also Published As

Publication number Publication date
CN103841198A (en) 2014-06-04

Similar Documents

Publication Publication Date Title
Springall et al. Security analysis of the Estonian internet voting system
Santos et al. Using ARM TrustZone to build a trusted language runtime for mobile applications
US8375221B1 (en) Firmware-based trusted platform module for arm processor architectures and trustzone security extensions
US7739517B2 (en) Hardware-based authentication of a software program
Lombardi et al. Secure virtualization for cloud computing
JP5853327B2 (en) System and method for protecting a virtual computing environment
Santos et al. Towards Trusted Cloud Computing.
US9558358B2 (en) Random number generator in a virtualized environment
CN106462438B (en) The proof of host comprising trusted execution environment
US7376974B2 (en) Apparatus and method for creating a trusted environment
US9361462B2 (en) Associating a signing key with a software component of a computing platform
Li et al. Secure virtual machine execution under an untrusted management OS
Szefer et al. Architectural support for hypervisor-secure virtualization
CN101755269B (en) Device with a secure virtual machine
Coker et al. Principles of remote attestation
JP5455318B2 (en) Dynamic trust management
JP5802337B2 (en) out-of-band remote authentication
US8151262B2 (en) System and method for reporting the trusted state of a virtual machine
US20090319782A1 (en) Interconnectable personal computer architectures that provide secure, portable, and persistent computing environments
US7730318B2 (en) Integration of high-assurance features into an application through application factoring
JP5735509B2 (en) Method and apparatus for obtaining a reliable path that can be verified by a user in the presence of malware
Datta et al. A logic of secure systems and its application to trusted computing
Krautheim et al. Introducing the trusted virtual environment module: a new mechanism for rooting trust in cloud computing
Kennell et al. Establishing the Genuinity of Remote Computer Systems.
Parno et al. Bootstrapping trust in modern computers

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
GR01 Patent grant
GR01 Patent grant