VirtinSpector:一种基于UEFI的虚拟机动态安全度量框架设计与实现

被引:4
作者
严飞
石翔
李志华
王鹃
张焕国
机构
[1] 武汉大学计算机学院
关键词
云安全; 可信计算; 动态度量; 虚拟化;
D O I
10.15961/j.jsuese.2014.01.029
中图分类号
TP311.52 [];
学科分类号
081202 ; 0835 ;
摘要
通过可信硬件能够弥补单纯软件安全的不足,从整体上提高云系统的安全性。但是,面对云环境运行时的安全,传统可信硬件技术无法提供足够的保障。为此,提出了一种基于UEFI的虚拟机动态安全框架——VirtinSpector。该框架能够将UEFI固件作为可信基础,对云系统的基础设施层进行实时、动态的安全度量,提供传统可信技术无法达到的动态保护。在此框架基础上,以某国产服务器为实验平台,构建云环境,实现了一个面向Xen环境的UEFI虚拟机动态安全度量原型系统。实验与分析表明,该框架能够有效检测针对虚拟域、管理域和虚拟化软件的攻击,为云系统提供来自基础设施层的安全支撑。并且对原有系统的性能损耗在允许范围之内,不影响用户的正常使用。
引用
收藏
页码:22 / 28
页数:7
相关论文
共 16 条
[1]  
BITS: a smartcard protected operating system[J] . Paul C. Clark,Lance J. Hoffman. &nbspCommunications of the ACM . 1994 (11)
[2]  
A Secure and Reliable Bootstrap Architecture. Arbaugh W A,Farber D J,Smith J M. Proceedings of IEEE Computer Society Conference on Security and Privacy . 1997
[3]  
N-force daemon prototypetechnical description. Heine D,Kouskoulas Y. Technical Report VS-03-021.The Johns Hopkins University Applied Physics Labo-ratory . 2003
[4]  
Hardware Virtualization-Based Rootkits. Zovi D A D. Black Hat USA2006 . 2006
[5]  
An archi-tecture for specification-based detection of semantic integrity violations in ker-nel dynamic data. Jr. Petroni L. Nick,Fraser Timothy,Jesus Molina,William A. Arbaugh. Proceedings of the 15th conference on USENIX Security Symposium . 2006
[6]  
SecureSwitch:BIOS-assisted isolation and switch between trusted and untrusted commodity OSes. Sun Kun,Wang Jiang,Zhang Fengwei,et al. Network and Distributed System Security Symposium (NDSS) . 2012
[7]  
HyperSentry:Enabling stealthy in-context measurement of hypervisor intergrity. Azab A M,Ning Peng,Wang Zhi,et al. Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS 2010) . 2010
[8]  
Beyond BIOS:Implementing UEFI—The unified extensible firmware interface. Zimmer V,Rothman M,Hale R. . 2006
[9]  
HIMA:A hypervisor-based integrity measurement agent. Azab AM,Ning P,Sezer EC,Zhang X. Proc of the2009Annual Computer Security Applications Conf . 2009
[10]  
Hypervisor support foridentifying covertly executing binaries. Litty L,Lagar-Cavilla H A,Lie D. Proceedings ofthe 17th USENIX Security Symposium . 2008