vTSE:一种基于SGX的vTPM安全增强方案
vTSE: A Solution of SGX-based vTPM Secure Enhancement
作者:严飞(空天信息安全与可信计算教育部重点实验室, 湖北 武汉 430072;武汉大学 计算机学院, 湖北 武汉 430072);于钊(空天信息安全与可信计算教育部重点实验室, 湖北 武汉 430072;武汉大学 计算机学院, 湖北 武汉 430072);张立强(空天信息安全与可信计算教育部重点实验室, 湖北 武汉 430072;武汉大学 计算机学院, 湖北 武汉 430072);赵波(空天信息安全与可信计算教育部重点实验室, 湖北 武汉 430072;武汉大学 计算机学院, 湖北 武汉 430072)
Author:YAN Fei(Key Lab. of Aerospace Info. Security and Trusted Computing of Ministry of Education, Wuhan 430072, China;School of Computer, Wuhan Univ., Wuhan 430072, China);YU Zhao(Key Lab. of Aerospace Info. Security and Trusted Computing of Ministry of Education, Wuhan 430072, China;School of Computer, Wuhan Univ., Wuhan 430072, China);ZHANG Liqiang(Key Lab. of Aerospace Info. Security and Trusted Computing of Ministry of Education, Wuhan 430072, China;School of Computer, Wuhan Univ., Wuhan 430072, China);ZHAO Bo(Key Lab. of Aerospace Info. Security and Trusted Computing of Ministry of Education, Wuhan 430072, China;School of Computer, Wuhan Univ., Wuhan 430072, China)
收稿日期:2016-09-18 年卷(期)页码:2017,49(2):133-139
期刊名称:工程科学与技术
Journal Name:Advanced Engineering Sciences
关键字:可信计算;虚拟可信平台模块;Intel SGX
Key words:trusted computing;virtual trusted platform module;Intel SGX
基金项目:国家自然科学基金资助项目(61272452;61303024;61003268);国家重点基础研究发展计划资助项目(2014CB340601);江苏省自然科学基金青年基金资助项目(BK20130372);国家"863"课题资助项目(2015AA016002)
中文摘要
针对现有虚拟化可信平台架构中vTPM(virtual trusted platform module)实例缺乏有效安全保障的问题,提出一种基于Intel SGX(software guard extension)的虚拟可信平台模块安全增强方案——vTSE。该方案利用SGX技术的物理安全隔离特性,将vTPM实例的代码和数据放入SGX提供的安全隔离区域enclave中进行隔离保护;同时vTSE使用SGX具有的基于可信区身份的密封功能加密存储安全隔离区中的非易失数据。通过实验证明了本方案能够在vTPM实例运行时动态地保护其代码和数据的机密性、完整性,同时实现vTPM实例数据的安全存储。最后,从安全性和性能开销两方面进行评估,实验结果表明,vTSE的方案在保证vTPM实例运行和存储安全的同时,增加的性能开销不超过1 ms。
英文摘要
In order to solve the problem that there is no enough security assurance of virtual trusted platform module (vTPM) in virtualized trusted platform architecture,a vTPM security enhancement (vTSE) method based on Intel SGX (software guard extension) was proposed.The characteristic of physical memory isolation of SGX was utilized firstly.Then the code and data of vTPM instances was isolated and protected in safety isolation region created by SGX.At the same time,the sealing features based on trusted area identity of enclave was used to confidentially store the nonvolatile data in safety isolation region.The experimental results showed that this method could not only dynamically protect the confidentiality and integrity of code and date during the operation of vTPM instances,but also realized the secure storage of vTPM instances data.Finally,the security and performance evaluation of the system was done.The results showed that while the proper functioning and secure storage of vTPM instances were ensured,the performance overhead added was less than 1 ms.
【关闭】
