利用TPM提供高安全性的虛擬機動態遷移機制

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：34

、訪客IP：52.15.217.86

姓名

倪丞頤(Cheng-Yi Ni) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

利用TPM提供高安全性的虛擬機動態遷移機制
(Using TPM to Provide a Totally Secured VMs’ Live Migration)

相關論文

★ 整合多樣配置組態下的藍芽射頻驗證系統	★ 具檔案敘述相關語查詢之智慧型檔案搜尋系統
★ 具遲到者支援功能之網際網路簡報系統	★ 以快速廣播法建構熱門視訊隨選服務伺服器
★ 具事件同步再現特性之遠程電傳展示伺服器	★ 無線網路環境下之廣播資訊快速下載
★ 中文網站繁簡互訪協助系統	★ 支援時光平移播放之調適性現場直播演算法
★ 用於互動式廣播之段落對齊法	★ 熱門影片廣播法之影片區段復原機制
★ 配合熱門影片廣播的本地伺服器高效快取法	★ 一個增進SIP在防火牆環境中應用的協同模組
★ 考量網頁熱門度之一致性雜湊法解決網頁代理伺服器之負載平衡	★ 以網域名稱伺服器為基礎之色情網站過濾系統
★ 使用熱門廣播法及支援點對點傳輸之影音內容傳遞網路	★ 變動頻寬平滑化之熱門廣播演算法

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

隨著近幾年網路設備效能的大幅度提升，對網路效能高依賴的雲端計算技術成為現今當紅的熱門話題，有鑒於虛擬技術在雲端計算中廣泛的應用，雲端服務提供商能透過虛擬技術來調整所提供的資源，讓提供的服務資源能更貼近不同使用者的實際需求。而其中能做到上述項目的一個重要技術即為虛擬機動態遷移。
但是在多人共用資源的雲端環境中，安全性一直是個很重要的隱憂，尤其是在開放式的雲端環境中，不但得防範週遭共用資源的其他使用者，甚至是擁有特權的系統管理者是否能完全信任？
本論文提出一高安全性的虛擬機動態遷移機制，以及對應必要的可信賴計算平台架構，平台的最根本信賴元件是TPM，利用TPM帶起的可信賴VMM，避免使用者因為使用雲端計算資源造成本身機密資料洩漏。將信賴基礎建立在可信賴的計算平台上，利用平台提供的驗證機制，降低使用者使用雲端平台時的安全疑慮；同時加強虛擬機動態遷移機制的安全性，對本機端以及遠端主機做信賴驗證，確保雙方主機的互信原則，再以vTPM為輔助，為使用者資料提供更多的安全保障，避免因為虛擬機動態遷移所意外導致的使用者資料外洩發生。

摘要(英)

The performance of network devices in recent years are improved significantly and the Cloud Computing which highly depends on the network performance becomes hot topics today. As the virtualization is widely deployed in the Cloud, the Cloud service provider can fix their provided resource by the virtualization and make the service resource more conformed to different users’ real requirements. An important technology for doing this is VMs’ live migration.
In an environment with people share the resource like the Cloud computing, the security is always a very serious concern, especially in a public Cloud. We need prevent not only the other users which share the resource, but even the system administrator who has the privilege. Can we totally trust them?
We present a mechanism for a highly secured VMs’ live migration and the secured platform in this paper. The root of trusted component in the platform is TPM. We use TPM to boot the trusted VMM and protect the users’ data for not leaking when use the Cloud Computing resource. We make the base of the trust depend on the trusted computing platform, and use the attestation mechanism supported by the platform to reduce the security concern when using the Cloud platform. We also enhance the security of VMs’ live migration at the same time, and do the trusted attestation to local and remote hosts to make sure the trust between each host. We provide more security protect for the users’ data by vTPM to prevent users’ data lost when the VMs migrate.

關鍵字(中)

★ 虛擬機動態遷移
★ 虛擬機安全性
★ 可信賴運算
★ vTPM

關鍵字(英)

★ VM Live Migration
★ VM Security
★ Trusted Computing
★ vTPM

論文目次

摘要 i
Abstract ii
誌謝 iii
目錄 iv
圖表目錄 vi
第一章緒論 1
1.1. 研究背景 1
1.2. 研究動機 3
1.3. 論文架構 4
第二章相關研究 5
2.1. 雲端運算上的虛擬機遷移技術 5
2.1.1. 虛擬機遷移技術 5
2.1.2. 雲端運算上的虛擬機遷移 8
2.2. 雲端運算上的虛擬機安全性 9
2.3. 安全可信賴的VMM 12
2.4. 安全的虛擬機遷移機制 14
第三章系統設計 17
3.1. 目標 17
3.2. 系統情境描述 17
3.3. 安全可信賴運算平台 18
3.4. 安全的虛擬機動態遷移 22
3.5. 假想的攻擊方 24
第四章虛擬機安全遷移機制 27
4.1. 平台註冊程序 27
4.2. 可信賴開機流程 30
4.3. 安全遷移機制 31
4.3.1. 遷移機制概觀 31
4.3.2. 平台信賴驗證機制 32
4.3.3. 虛擬機安全遷移協定 34
4.3.4. 安全的虛擬機動態遷移 37
4.4. 安全查核 38
第五章 Xen虛擬機技術分析 39
5.1. 目標 39
5.2. Xen實體主機啟動流程 40
5.3. Xen客戶端虛擬機啟動流程 42
5.4. Xen虛擬機動態遷移技術 44
5.5. Xen實做vTPM之方式分析 45
5.6. 在Xen上實作對客戶端的資料加密 47
第六章結論與未來方向 51
參考文獻 52

參考文獻

[1] Fang Hao, T.V. Lakshman, Sarit Mukherjee, and Haoyu Song, “Enhancing Dynamic Cloud-based Services using Network Virtualization”, In VISA, 2009.
[2] Fang Hao, T.V. Lakshman, Sarit Mukherjee, and Haoyu Song, “Secure Cloud Computing with a Virtualized Network Infrastructure”, Proceeding in HotCloud'10 Proceedings of the 2nd USENIX conference on Hot topics in cloud computing.
[3] Amazon Elastic Compute Cloud (Amazon EC2) http://aws.amazon.com/ec2/
[4] Wayne A. Jansen, “Cloud Hooks: Security and Privacy Issues in Cloud Computing”, Proceedings of the 44th Hawaii International Conference on System Sciences - 2011.
[5] T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, “Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds.” In CCS, 2009.
[6] Huan Liu, “A new form of DOS attack in a cloud and its avoidance mechanism”, proceedings of the 2010 ACM workshop on Cloud computing security workshop.
[7] Sebastian Roschke, Feng Cheng, and Christoph Meinel, “Intrusion Detection in the Cloud,” Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing, 2009, pp.729-734.
[8] Trusted Computing Group. http://www.trustedcomputinggroup.org/
[9] TCG Architecture Overview, Version 1.4 http://www.trustedcomputinggroup.org/resources/tcg_architecture_overview_version_14
[10] The Trusted Computing Group Trusted Platform Module specification version 1.2 http://www.trustedcomputinggroup.org/resources/tpm_main_specification
[11] Infineon’s Website: http://www.infineon.com
[12] Reiner Sailer, Enriquillo Valdez, Trent Jaeger Jaeger, Ronald Perez, Leendert van Doorn, John Linwood Griffin, and Stefan Berger, “sHype: Secure Hypervisor Approach to Trusted Virtualized Systems”, IBM Research Report RC23511(W0502-006) http://domino.watson.ibm.com/library/cyberdig.nsf/3addb4b88e7a231f85256b3600727773/265c8e3a6f95ca8d85256fa1005cbf0f?OpenDocument
[13] Reiner Sailer, Trent Jaeger, Enriquillo Valdez, Ronald Perez, Stefan Berger, John Linwood Griffin, and Leendert van Doorn, “Building a MAC-based Security Architecture for the Xen Opensource Hypervisor”, IBM Research Report RC23629(W0506-051) http://domino.watson.ibm.com/library/cyberdig.nsf/1e4115aea78b6e7c85256b360066f0d4/5ff6b8de618bcf30852570230052518a?OpenDocument
[14] Stefan Berger, Ramon Caceres, Kenneth A. Goldman, Ronald Perez, Reiner Sailer, and Leendert van Doorn, “vTPM: Virtualizing the Trusted Platform Module”, Proceedings of the 15th USENIX Security Symposium, Berkeley, CA, USA, 2006. USENIX Association, pp. 21-21.
[15] James E. Smith, AND Ravi Nair, “Virtual Machines: Versatile Platforms for Systems And Processes”, Morgan Kaufmann Publishers, San Francisco, CA, USA, 2005.
[16] VMware, Inc. 3401 Hillview Ave Palo Alto. “VMware Server 2 - A Risk-Free Way to Get Started with Virtualization” http://www.vmware.com
[17] Christopher Clark, Keir Fraser, Steven Hand, Jacob Gorm Hansen, Eric Jul, Christian Limpach, Ian Pratt, and Andrew Warfield, “Live Migration of Virtual Machines.” In Proceedings of the 2nd ACM/USENIX Symposium on Networked Systems Design and Implementation, Boston, MA, May 2005.
[18] 林冠余，“實體系統執行程序至虛擬平台之動態遷移”，國立中央大學資訊工程學系碩士論文，民98
[19] Jacob Gorm. Hansen and Asger Kahl Henriksen, “Master's Thesis: Nomadic Operating Systems”, Dept. of Computer Science, University of Copenhagen, Denmark, 2002.
[20] Erik Elmroth and Lars Larsson, “Interfaces for Placement, Migration, and Monitoring of Virtual Machines in Federated Clouds”, 2009 Eighth International Conference on Grid and Cooperative Computing.
[21] Mudassar Aslam, and Christian Gehrmann, "Security Considerations for Virtual Platform Provisioning", Workshop on Cryptography and Security in Clouds (March 15-16, 2011, Zurich)
[22] Jinzhu Kong, “Protecting The Confidentiality of Virtual Machines Against Untrusted Host”, 2010 International Symposium on Intelligence Information Processing and Trusted Computing.
[23] Tal Garfinkel, Ben Pfaff, Jim Chow, Mendel Rosenblum, and Dan Boneh, “Terra: A Virtual Machine-Based Platform for Trusted Computing”, In Proceeding of SOSP’03, 2003.
[24] Wei Wang, Ya Zhang, Ben Lin, Xiaoxin Wu, and Kai Miao, “Secured and Reliable VM Migration in Personal Cloud”, In 2nd International Conference on ICCET 2009.
[25] Kara Nance, Matt Bishop, and Brian Hay, “Virtual Machine Introspection: Observation or Interference?”, In Proceeding of IEEE Symposium on Security and Privacy, pages 32-37, 2008.
[26] Brian Hay , Kara Nance, “Forensics Examination of Volatile System Data Using Virtual Introspection”, ACM Sigops Operating Systems Review, vol. 42, no. 3, April 2008, pp. 74–82.
[27] Home of the XEN hypervisor http://www.xen.org/
[28] Intel 64 and IA-32 Architectures Software Developer’s Manual Combined Volumes 3A and 3B: System Programming Guide, Parts 1 and 2.
[29] Intel® Virtualization Technology for Directed I/O, Revision 1.3 specification http://download.intel.com/technology/computing/vptech/Intel(r)_VT_for_Direct_IO.pdf

指導教授

曾黎明(Li-Ming Tseng)

審核日期

2011-8-30

推文