VirtinSpector：一种基于UEFI的虚拟机动态安全度量框架设计与实现

VirtinSpector:AUEFIBasedDynamicSecureMeasurementFrameworkforVirtualMachine

作者：严飞(武汉大学计算机学院)；石翔(武汉大学计算机学院)；李志华(武汉大学计算机学院)；王鹃(武汉大学计算机学院)；张焕国(武汉大学计算机学院)

Author：Yan Fei(SchoolofComputer,WuhanUniv.)；Shi Xiang(SchoolofComputer,WuhanUniv.)；Li Zhihua(SchoolofComputer,WuhanUniv.)；Wang Juan(SchoolofComputer,WuhanUniv.)；Zhang Huanguo(SchoolofComputer,WuhanUniv.)

收稿日期：2013-06-20 年卷（期）页码：2014,46(1):22-28

期刊名称：工程科学与技术

Journal Name：Advanced Engineering Sciences

关键字：云安全；可信计算；动态度量；虚拟化

Key words：cloudsecurity;trustedcomputing;dynamicmeasurement;virtualization

基金项目：国家自然科学基金资助项目(61003268；61272452；91118003；61173138；61003185)

中文摘要

通过可信硬件能够弥补单纯软件安全的不足，从整体上提高云系统的安全性。但是，面对云环境运行时的安全，传统可信硬件技术无法提供足够的保障。为此，提出了一种基于UEFI的虚拟机动态安全框架——VirtinSpector。该框架能够将UEFI固件作为可信基础，对云系统的基础设施层进行实时、动态的安全度量，提供传统可信技术无法达到的动态保护。在此框架基础上，以某国产服务器为实验平台，构建云环境，实现了一个面向Xen环境的UEFI虚拟机动态安全度量原型系统。实验与分析表明，该框架能够有效检测针对虚拟域、管理域和虚拟化软件的攻击，为云系统提供来自基础设施层的安全支撑。并且对原有系统的性能损耗在允许范围之内，不影响用户的正常使用。

英文摘要

Trusted computing technology has been introduced to build a secure cloud infrastructure, which can improve the dilemma of software security. However, traditional trusted hardware technology does not provide sufficient protection for runtime security for cloud. To solve this problem, a UEFI based dynamic security framework for virtual machine, named VirtinSpector, was proposed. The VirtinSpector treated UEFI firmware as a trusted computing base to acquire a run-time and dynamic security measurement for cloud, providing a dynamic protection out of traditional solution. And a prototype of VirtinSpector for the Xen hypervisor was implemented. The experiments showed that the framework can measure and explore some mainstream attacks of cloud, and its performance payload is restricted whining an acceptable range, without affecting the user’s daily use.

【关闭】

论文摘要

VirtinSpector：一种基于UEFI的虚拟机动态安全度量框架设计与实现

VirtinSpector:AUEFIBasedDynamicSecureMeasurementFrameworkforVirtualMachine