电子科技大学学报
電子科技大學學報
전자과기대학학보
JOURNAL OF UNIVERSITY OF ELECTRONIC SCIENCE AND TECHNOLOGY OF CHINA
2015年
1期
117-122
,共6页
张磊%陈兴蜀%刘亮%李辉
張磊%陳興蜀%劉亮%李輝
장뢰%진흥촉%류량%리휘
完整性%内核%KVM%可信计算%虚拟机
完整性%內覈%KVM%可信計算%虛擬機
완정성%내핵%KVM%가신계산%허의궤
integrity%kernel%KVM%trusted computing%virtual machine
针对云计算中客户虚拟机内核完整性面临的威胁,该文提出了一种保护虚拟机内核完整性的技术—CTVM。该技术在KVM虚拟机环境中实现了虚拟化可信执行环境的创建,使多个客户虚拟机同时拥有可信计算功能,能对客户虚拟机提供启动完整性度量;在此基础上利用硬件辅助虚拟化技术,通过为客户虚拟机构造隔离的地址空间,使客户虚拟机中不可信模块与内核运行在逻辑隔离的地址空间。从这两个方面实现对客户虚拟机的启动和运行时的完整性保护。最后,以某国产服务器为实验平台实现了CTVM原型系统,系统测试与分析验证了技术的可用性,系统性能损耗在可接受的范围内。
針對雲計算中客戶虛擬機內覈完整性麵臨的威脅,該文提齣瞭一種保護虛擬機內覈完整性的技術—CTVM。該技術在KVM虛擬機環境中實現瞭虛擬化可信執行環境的創建,使多箇客戶虛擬機同時擁有可信計算功能,能對客戶虛擬機提供啟動完整性度量;在此基礎上利用硬件輔助虛擬化技術,通過為客戶虛擬機構造隔離的地阯空間,使客戶虛擬機中不可信模塊與內覈運行在邏輯隔離的地阯空間。從這兩箇方麵實現對客戶虛擬機的啟動和運行時的完整性保護。最後,以某國產服務器為實驗平檯實現瞭CTVM原型繫統,繫統測試與分析驗證瞭技術的可用性,繫統性能損耗在可接受的範圍內。
침대운계산중객호허의궤내핵완정성면림적위협,해문제출료일충보호허의궤내핵완정성적기술—CTVM。해기술재KVM허의궤배경중실현료허의화가신집행배경적창건,사다개객호허의궤동시옹유가신계산공능,능대객호허의궤제공계동완정성도량;재차기출상이용경건보조허의화기술,통과위객호허의궤구조격리적지지공간,사객호허의궤중불가신모괴여내핵운행재라집격리적지지공간。종저량개방면실현대객호허의궤적계동화운행시적완정성보호。최후,이모국산복무기위실험평태실현료CTVM원형계통,계통측시여분석험증료기술적가용성,계통성능손모재가접수적범위내。
For the kernel integrity threats of virtual machine in cloud computing environment, an integrity protecting technology of virtual machine kernel, cloud trusted virtual machine(CTVM ), is proposed. In the CTVM, the virtual trusted execution environment in kernel-based virtual machine(KVM) is created, the multiple virtual machines are endowed with a trusted computing function at the same time, and the guest virtual machines are provided with integrity measurement ability. By utilizing hardware virtualization technology, the untrusted kernel modules are isolated from operating system kernel through constructing isolated address space in guest virtual machines, so as to protect the booting integrity and runtime integrity of guest virtual machines. Finally, with a domestic server as the experimental platform, CTVM prototype system is presented. System test and analysis show that the system performance loss is within the acceptable range.
