CN111164571B - 云系统中的基于安全处理的控制平面功能虚拟化 - Google Patents

云系统中的基于安全处理的控制平面功能虚拟化 Download PDF

Info

Publication number
CN111164571B
CN111164571B CN201880064129.5A CN201880064129A CN111164571B CN 111164571 B CN111164571 B CN 111164571B CN 201880064129 A CN201880064129 A CN 201880064129A CN 111164571 B CN111164571 B CN 111164571B
Authority
CN
China
Prior art keywords
control plane
secure
function
software defined
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201880064129.5A
Other languages
English (en)
Chinese (zh)
Other versions
CN111164571A (zh
Inventor
V·布朗
J·林顿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Publication of CN111164571A publication Critical patent/CN111164571A/zh
Application granted granted Critical
Publication of CN111164571B publication Critical patent/CN111164571B/zh
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5061Partitioning or combining of resources
    • G06F9/5077Logical partitioning of resources; Management or configuration of virtualized resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0893Assignment of logical groups to network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0896Bandwidth or capacity management, i.e. automatically increasing or decreasing capacities
    • H04L41/0897Bandwidth or capacity management, i.e. automatically increasing or decreasing capacities by horizontal or vertical scaling of resources, or by migrating entities, e.g. virtual resources or entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/02Traffic management, e.g. flow control or congestion control
    • H04W28/10Flow control between communication endpoints
    • H04W28/12Flow control between communication endpoints using signalling between network elements
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0894Policy-based network configuration management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0895Configuration of virtualised networks or elements, e.g. virtualised network function or OpenFlow elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/40Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/50Network service management, e.g. ensuring proper service fulfilment according to agreements
    • H04L41/508Network service management, e.g. ensuring proper service fulfilment according to agreements based on type of value added network service under agreement
    • H04L41/5096Network service management, e.g. ensuring proper service fulfilment according to agreements based on type of value added network service under agreement wherein the managed service relates to distributed or central networked applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/64Routing or path finding of packets in data switching networks using an overlay routing layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Mathematical Physics (AREA)
  • Stored Programmes (AREA)
  • Debugging And Monitoring (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
CN201880064129.5A 2017-10-25 2018-10-18 云系统中的基于安全处理的控制平面功能虚拟化 Active CN111164571B (zh)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US15/793,432 US10872145B2 (en) 2017-10-25 2017-10-25 Secure processor-based control plane function virtualization in cloud systems
US15/793,432 2017-10-25
PCT/EP2018/078626 WO2019081348A1 (en) 2017-10-25 2018-10-18 VIRTUALIZATION OF CONTROL PLANE FUNCTION BASED ON A SECURE PROCESSOR IN CLOUD SYSTEMS

Publications (2)

Publication Number Publication Date
CN111164571A CN111164571A (zh) 2020-05-15
CN111164571B true CN111164571B (zh) 2024-04-19

Family

ID=63965665

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201880064129.5A Active CN111164571B (zh) 2017-10-25 2018-10-18 云系统中的基于安全处理的控制平面功能虚拟化

Country Status (6)

Country Link
US (1) US10872145B2 (https=)
JP (1) JP7110339B2 (https=)
CN (1) CN111164571B (https=)
DE (1) DE112018004210T5 (https=)
GB (1) GB2581717A (https=)
WO (1) WO2019081348A1 (https=)

Families Citing this family (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11126699B2 (en) * 2018-02-07 2021-09-21 Nec Corporation Replica trusted execution environment: enabling seamless replication of trusted execution environment (TEE)-based enclaves in the cloud
US11016798B2 (en) 2018-06-01 2021-05-25 The Research Foundation for the State University Multi-hypervisor virtual machines that run on multiple co-located hypervisors
US10949238B2 (en) * 2018-12-05 2021-03-16 Vmware, Inc. Decoupling compute and storage resources in cloud-based HCI (hyper-converged infrastructure)
US12039354B2 (en) 2019-06-18 2024-07-16 The Calany Holding S. À R.L. System and method to operate 3D applications through positional virtualization technology
US12033271B2 (en) 2019-06-18 2024-07-09 The Calany Holding S. À R.L. 3D structure engine-based computation platform
US12040993B2 (en) 2019-06-18 2024-07-16 The Calany Holding S. À R.L. Software engine virtualization and dynamic resource and task distribution across edge and cloud
US11044080B2 (en) * 2019-06-24 2021-06-22 International Business Machines Corporation Cryptographic key orchestration between trusted containers in a multi-node cluster
US10917288B2 (en) * 2019-06-25 2021-02-09 Bank Of America Corporation Adaptive edge-shift for enterprise contingency operations
JP7327057B2 (ja) * 2019-09-30 2023-08-16 日本電気株式会社 コンテナ制御装置、コンテナ制御方法、およびコンテナ制御プログラム
US11288018B2 (en) * 2020-03-25 2022-03-29 Verizon Patent And Licensing Inc. Method and system for deploying a virtual distributed unit on a network device
US11822949B2 (en) * 2020-04-02 2023-11-21 Vmware, Inc. Guest cluster deployed as virtual extension of management cluster in a virtualized computing system
US11057274B1 (en) * 2020-04-09 2021-07-06 Verizon Patent And Licensing Inc. Systems and methods for validation of virtualized network functions
KR102952068B1 (ko) 2020-04-17 2026-04-13 삼성전자주식회사 소프트웨어 정의 네트워크 시스템에서 통신을 수행하는 방법 및 장치
US11763015B2 (en) * 2020-07-14 2023-09-19 Sympatic, Inc. Securely processing shareable data utilizing a vault proxy
CN113612688B (zh) * 2021-07-14 2023-03-24 曙光信息产业(北京)有限公司 分布式软件定义网络控制系统及其构建方法
CN114035901B (zh) * 2021-11-16 2022-04-15 亿咖通(湖北)技术有限公司 用于运行进程的容器的构建方法、装置和电子设备
CN114244724B (zh) * 2021-11-24 2023-08-29 中盈优创资讯科技有限公司 一种城域网控制平面向容器化演进的方法及装置
US20230259352A1 (en) * 2022-02-11 2023-08-17 Intel Corporation Software updates in a network interface device
EP4476869A1 (en) * 2022-02-15 2024-12-18 Google Llc Secure environment for operations on private data
CN117370983A (zh) * 2022-07-01 2024-01-09 华为云计算技术有限公司 基于云技术的可信执行系统及方法
US20240220331A1 (en) * 2022-07-28 2024-07-04 Rakuten Symphony Singapore Pte. Ltd. Methods, systems, and storage media for implementation of enhanced open digital architecture for support system
US12549440B2 (en) 2023-09-29 2026-02-10 Dell Products L.P. Management of network services through pre-population of management plane from system level view
US12609874B2 (en) * 2023-09-29 2026-04-21 Dell Products L.P. Dynamic subscription based management of networks for computing systems
US20250240293A1 (en) * 2024-01-19 2025-07-24 Dell Products L.P. Multi-tenant secrets manager
US12468807B1 (en) 2025-04-24 2025-11-11 Wiz, Inc. Techniques for control plane level containment

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016000160A1 (en) * 2014-06-30 2016-01-07 Alcatel-Lucent Shanghai Bell Co., Ltd. Security in software defined network

Family Cites Families (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7447872B2 (en) * 2002-05-30 2008-11-04 Cisco Technology, Inc. Inter-chip processor control plane communication
US7224668B1 (en) * 2002-11-27 2007-05-29 Cisco Technology, Inc. Control plane security and traffic flow management
US7606140B2 (en) * 2003-08-28 2009-10-20 Alcatel Lucent Distributed and disjoint forwarding and routing system and method
US7990993B1 (en) * 2008-02-20 2011-08-02 Juniper Networks, Inc. Platform-independent control plane and lower-level derivation of forwarding structures
US8954752B2 (en) 2011-02-23 2015-02-10 International Business Machines Corporation Building and distributing secure object software
US8578175B2 (en) 2011-02-23 2013-11-05 International Business Machines Corporation Secure object having protected region, integrity tree, and unprotected region
US8739177B2 (en) 2010-06-21 2014-05-27 Intel Corporation Method for network interface sharing among multiple virtual machines
US8832465B2 (en) * 2012-09-25 2014-09-09 Apple Inc. Security enclave processor for a system on a chip
US8438631B1 (en) 2013-01-24 2013-05-07 Sideband Networks, Inc. Security enclave device to extend a virtual secure processing environment to a client device
US8448238B1 (en) 2013-01-23 2013-05-21 Sideband Networks, Inc. Network security as a service using virtual secure channels
US9426155B2 (en) * 2013-04-18 2016-08-23 International Business Machines Corporation Extending infrastructure security to services in a cloud computing environment
JP6214088B2 (ja) 2013-11-25 2017-10-18 学校法人東京電機大学 ネットワーク制御システム及び方法
US10491594B2 (en) * 2014-08-22 2019-11-26 Nokia Technologies Oy Security and trust framework for virtualized networks
US9442752B1 (en) * 2014-09-03 2016-09-13 Amazon Technologies, Inc. Virtual secure execution environments
US9491111B1 (en) * 2014-09-03 2016-11-08 Amazon Technologies, Inc. Securing service control on third party hardware
US9684608B2 (en) * 2014-10-28 2017-06-20 Intel Corporation Maintaining a secure processing environment across power cycles
KR101951273B1 (ko) 2014-12-04 2019-02-22 노키아 솔루션스 앤드 네트웍스 게엠베하 운트 코. 카게 가상화된 자원들의 조종
US9578008B2 (en) * 2015-05-11 2017-02-21 Intel Corporation Technologies for secure bootstrapping of virtual network functions
WO2016181423A1 (en) 2015-05-11 2016-11-17 Nec Corporation Communication apparaus, system, method, and program
US9742790B2 (en) * 2015-06-16 2017-08-22 Intel Corporation Technologies for secure personalization of a security monitoring virtual network function
US10528721B2 (en) * 2016-10-20 2020-01-07 Intel Corporation Trusted packet processing for multi-domain separatization and security
US10277535B2 (en) * 2017-03-31 2019-04-30 Hewlett Packard Enterprise Development Lp Network switch systems including logical switches

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016000160A1 (en) * 2014-06-30 2016-01-07 Alcatel-Lucent Shanghai Bell Co., Ltd. Security in software defined network

Also Published As

Publication number Publication date
US10872145B2 (en) 2020-12-22
JP2021500669A (ja) 2021-01-07
US20190121960A1 (en) 2019-04-25
JP7110339B2 (ja) 2022-08-01
CN111164571A (zh) 2020-05-15
GB202006882D0 (en) 2020-06-24
WO2019081348A1 (en) 2019-05-02
DE112018004210T5 (de) 2020-04-30
GB2581717A (en) 2020-08-26

Similar Documents

Publication Publication Date Title
CN111164571B (zh) 云系统中的基于安全处理的控制平面功能虚拟化
Casalicchio et al. The state‐of‐the‐art in container technologies: Application, orchestration and security
US10680946B2 (en) Adding multi-tenant awareness to a network packet processing device on a software defined network (SDN)
US11044236B2 (en) Protecting sensitive information in single sign-on (SSO) to the cloud
Padhy et al. Cloud computing: security issues and research challenges
US9553850B2 (en) Multi-tenant secure separation of data in a cloud-based application
CN101681404B (zh) 分布式计算机系统
US10938787B2 (en) Cloud services management system and method
US9426155B2 (en) Extending infrastructure security to services in a cloud computing environment
US9027087B2 (en) Method and system for identity-based authentication of virtual machines
Aiash et al. Secure live virtual machines migration: issues and solutions
JP2022549405A (ja) Kubernetesにおけるワークロードの保護を行うための方法、システム、及びコンピュータ・プログラム
Kim et al. CF-CloudOrch: container fog node-based cloud orchestration for IoT networks: NY Kim et al.
Shtern et al. An architecture for overlaying private clouds on public providers
Manohar A survey of virtualization techniques in cloud computing
US11385946B2 (en) Real-time file system event mapping to cloud events
Yao et al. CryptVMI: A flexible and encrypted virtual machine introspection system in the cloud
Syed et al. Towards secure instance migration in the cloud
Upadhyay et al. Secure live migration of VM's in Cloud Computing: A survey
Vijaya Bharati et al. Data storage security in cloud using a functional encryption algorithm
Hou et al. Enabling user-policy-confined vm migration in trusted cloud computing
Londhe et al. Imperial Analysis of Threats and Vulnerabilities in Cloud Computing.
Mansour Towards effective live cloud migration on public cloud IaaS.
Cushman et al. Designing Hybrid Cloud Computing Framework Using OpenStack for Supporting Multimedia with Security and Privacy
Hussain Topic: Local and Hybrid Cloud A MINT 709 Capstone Project submitted to the Departments of Computing Science and Electrical and Computer Engineering of the University of Alberta in partial fulfillment of the requirements for the degree of

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant