云计算中可信虚拟存储的研究
|
摘要
云计算是一种新型的计算模式,它通过虚拟化技术,整合网络上可利用的计算资源执行海量计算,同时可以根据用户的需求进行动态的资源分配、配置、部署、重部署和撤销云服务。云计算可以在不同的软件栈层向用户提供服务,其中一种是基础设施作为服务(IaaS)的模式,例如基于Xen的亚马逊EC2就是这种服务模式。
公司利用云计算可以减少IT花费和投入,从而获得更好的经济效益。然而由于安全的原因,尤其是内部攻击下的数据存储安全,很少有公司会这样做。虚拟存储是云计算中的重要组成部分之一。解决这个问题的最大挑战是如何在云计算的环境下保证用户数据的机密性和完整性。可信计算技术规范中制定了关于硬件存储设备的可信存储的规范,但并未涉及到云计算环境中虚拟存储的可信性问题。
为了解决这个挑战,本文在深入学习了Xen虚拟化技术和可信计算技术的基础上,总结了现有云存储技术的优缺点,设计和实现了基于虚拟化技术和可信计算技术的可信虚拟块存储(TVBS)系统。TVBS系统的设计目标是建立一个适用于IaaS云计算环境的,具有可靠性、灵活性、伸缩性和可信性的虚拟存储系统。为了达到这个目标,本文所采取的策略有隔离虚拟块设备的用户层管理程序和内核层执行程序,虚拟化硬件存储设备和限制和分化平台管理员的权限。
本文在Xen虚拟化平台上设计和实现了可信虚拟块存储系统TVBS。TVBS主要由可信虚拟块存储管理程序、可信虚拟块存储宿主和可信虚拟块设备三部分组成。其中可信虚拟块设备是本系统核心组件,它具有双向认证、完整性测量和报告、自动加密和日志等功能。TVBS使虚拟块设备对于用户来说和可信的硬件存储设备一样,将平台的可信链扩展到了虚拟块设备。为了提高平台的可扩展性,本文在TVBS系统的基础上设计和实现了Windows平台下的客户端系统。
通过实验评估和安全性分析,TVBS系统满足IaaS云计算中存储的性能需求和安全性需求。
In age of the internet with the rapid growth in the amount of information and data, cloud computing become a hot research field in industry and academia. Cloud computing is a new computing model which can run the large computing on the various computing resource via network and can dynamically allocate configuration, deploy, redeploy and cancel the cloud services depending on customers' requirements based on virtualization technologies. Cloud providers may offer services at various layers of the software stack. One type that this paper focuses on is Infrastructure as a Service (IaaS), such as Amazon EC2 base on Xen.
Companies utilizing the IaaS cloud computing can gain many benefits in reducing their IT expenses and overhead. In reality, however, this is rarely done because of security concerns, especially storage security of insider attacks. Storage virtualization is a significant part of the cloud computing. A major challenge in solving such concerns is to provide a trusted storage service in cloud computing environment with the trusted computing technical. But recently trusted computing specification under the virtual computing environment does not involve the trustworthiness of virtual storage.
To address this challenge, the this paper firstly makes the in-depth study in storage virtualization of Xen virtual machine monitor and trusted computing technologies, and summarizes the advantages and disadvantages of recently research. Then we present novel trusted storage architecture, Trusted Virtual Block Storage (TVBS) System, for storage virtualization in IaaS cloud computing based on Xen virtualization and Trusted Computing technologies. Our system aims at constructing a trusted virtual storage system in the cloud computing environment, which has the features of reliability, flexibility, scalability and trustworthiness.
We firstly design and implement the Trusted Virtual Block Storage (TVBS) System based on virtualization and trusted computing technologies, which is consist of TVBD manager, TVBD master and TVBD driver. The TVBD is the core component of the TVBS system, which have the function of integrity measurement and reporting, self-encryption and logging. TVBS makes virtual block device like a trusted physical block device to user and extends host TPM trust into the computing environment within all virtual block devices. For improving the TVBS, we then design and implement the TVBS client system in Windows.
The results of the evaluation and security analysis prove that our TVBS system satisfied the requirement of efficient and secure storage in IaaS cloud computing.
公司利用云计算可以减少IT花费和投入,从而获得更好的经济效益。然而由于安全的原因,尤其是内部攻击下的数据存储安全,很少有公司会这样做。虚拟存储是云计算中的重要组成部分之一。解决这个问题的最大挑战是如何在云计算的环境下保证用户数据的机密性和完整性。可信计算技术规范中制定了关于硬件存储设备的可信存储的规范,但并未涉及到云计算环境中虚拟存储的可信性问题。
为了解决这个挑战,本文在深入学习了Xen虚拟化技术和可信计算技术的基础上,总结了现有云存储技术的优缺点,设计和实现了基于虚拟化技术和可信计算技术的可信虚拟块存储(TVBS)系统。TVBS系统的设计目标是建立一个适用于IaaS云计算环境的,具有可靠性、灵活性、伸缩性和可信性的虚拟存储系统。为了达到这个目标,本文所采取的策略有隔离虚拟块设备的用户层管理程序和内核层执行程序,虚拟化硬件存储设备和限制和分化平台管理员的权限。
本文在Xen虚拟化平台上设计和实现了可信虚拟块存储系统TVBS。TVBS主要由可信虚拟块存储管理程序、可信虚拟块存储宿主和可信虚拟块设备三部分组成。其中可信虚拟块设备是本系统核心组件,它具有双向认证、完整性测量和报告、自动加密和日志等功能。TVBS使虚拟块设备对于用户来说和可信的硬件存储设备一样,将平台的可信链扩展到了虚拟块设备。为了提高平台的可扩展性,本文在TVBS系统的基础上设计和实现了Windows平台下的客户端系统。
通过实验评估和安全性分析,TVBS系统满足IaaS云计算中存储的性能需求和安全性需求。
In age of the internet with the rapid growth in the amount of information and data, cloud computing become a hot research field in industry and academia. Cloud computing is a new computing model which can run the large computing on the various computing resource via network and can dynamically allocate configuration, deploy, redeploy and cancel the cloud services depending on customers' requirements based on virtualization technologies. Cloud providers may offer services at various layers of the software stack. One type that this paper focuses on is Infrastructure as a Service (IaaS), such as Amazon EC2 base on Xen.
Companies utilizing the IaaS cloud computing can gain many benefits in reducing their IT expenses and overhead. In reality, however, this is rarely done because of security concerns, especially storage security of insider attacks. Storage virtualization is a significant part of the cloud computing. A major challenge in solving such concerns is to provide a trusted storage service in cloud computing environment with the trusted computing technical. But recently trusted computing specification under the virtual computing environment does not involve the trustworthiness of virtual storage.
To address this challenge, the this paper firstly makes the in-depth study in storage virtualization of Xen virtual machine monitor and trusted computing technologies, and summarizes the advantages and disadvantages of recently research. Then we present novel trusted storage architecture, Trusted Virtual Block Storage (TVBS) System, for storage virtualization in IaaS cloud computing based on Xen virtualization and Trusted Computing technologies. Our system aims at constructing a trusted virtual storage system in the cloud computing environment, which has the features of reliability, flexibility, scalability and trustworthiness.
We firstly design and implement the Trusted Virtual Block Storage (TVBS) System based on virtualization and trusted computing technologies, which is consist of TVBD manager, TVBD master and TVBD driver. The TVBD is the core component of the TVBS system, which have the function of integrity measurement and reporting, self-encryption and logging. TVBS makes virtual block device like a trusted physical block device to user and extends host TPM trust into the computing environment within all virtual block devices. For improving the TVBS, we then design and implement the TVBS client system in Windows.
The results of the evaluation and security analysis prove that our TVBS system satisfied the requirement of efficient and secure storage in IaaS cloud computing.
引文
[1]Hayes B. Cloud computing [J]. Communications of the ACM,2008,51(7):9-11.
[2]Weiss A. Computing in the Clouds [J]. Network of ACM,2007,11(4):16-25.
[3]Vaquero L M, Rodero-Merino L, Caceres J, et al. A Break in the Clouds:Towards a Definition. ACM SIGCOMM Computer Communication Review,2008,39(1):50-55
[4]Barham P, Dragovic B, Fraser K, et al. Xen and the art of virtual izat ion [J]. ACM SIGOPS Operating Systems Review,2003,37(5):164-177.
[5]Google File System. http://labs.google.com/papers/gfs.html
[6]The Apache Hadoop Project. http://hadoop.apache.org/
[7]Amazon S3 service. http://aws.amazon.com/s3/
[8]Amazon EC2 service. http://aws.amazon.com/ec2/
[9]Flouris M D, Lachaize R, Chasapis K, et al. Extensible block-level storage virtualization in cluster-based systems[J]. Journal of Parallel and Distributed Computing, (2010):800-824.
[10]Antos N, Gummadi K P and Rodrigues R. Towards trusted cloud computing[C]. Proceedings of the 2009 conference on Hot topics in cloud computing,2009:50-55.
[11]Gao X, Lowe M, Ma Y, et al. Supporting Cloud Computing with the Virtual Block Store System[C].2009 Fifth IEEE International Conference on e-Science,2009:208-215.
[12]Khn U, Kursawe K, Lucks S, et al. Secure Data Management in Trusted Computing [J]. Cryptographic Hardware and Embedded Systems, (2005):324-338.
[13]National Security Agency. http://www.nsa.gov/
[14]Trusted Computing Group application fields. http://www.Trustedcomputing group.org.
[15]Cabuk S, Chen L Q, Plaquin D, et al. Trusted Integrity Measurement and Reporting for Virtualized Platforms[C]. In Proceedings of INTRUST,2009:180-196.
[16]Thibadeau R, Willett M. Trusted Storage:Focus on Use Cases[C]. In Proceedings of Security and Management,2006:515-521.
[17]Liu Z B, Qu W J, Li K Q, et al. Object Oriented Property Attestation for Trusted Storage[C]. In Proceedings of CIT (2),2009:93-97
[18]Wang D, Feng D. A Hypervisor-Based Secure Storage Scheme[C].2010 Second International Conference on Networks Security,2010:81-87.
[19]Chi Y P, Shen X D, Fang Y. An Improved Sealing Scheme for Trusted Storage[C]. Computational Intelligence and Software Engineering,2009:1-4.
[20]袁亚.基于可信计算技术的嵌入式安全终端的研究与实现[D].华东师范大学硕士学位论,2007.
[21]Gallery E, Chris J. Trusted Computing:Security and Applications[J]. Cryptologia, 2009,33(3):217-245
[22]张焕国,罗捷,金刚等.可信计算机技术与应用综述[J].计算机安全,2006,6(6):8-12
[23]Santos N, Gummadi K P, and Rodrigues R. Towards Trusted Cloud Computing[C]. In USENIX HotCloud,2009:3-3.
[24]冯登国,秦宇,汪丹等.可信计算技术研究[J].计算机研究与发展,2011,8:12-17
[25]Yu R W, Wang L N, Ma X Y, et al. A Direct Anonymous Attestation Protocol Based on Hierarchical Group Signature. IEEE Computer Society,2009(2):721-726.
[26]陈晓峰.可信平台模块的形式化分析和测试[J].软件学报,2009,2(2):29-31.
[27]徐娜.基于可信赖计算平台的可信执行环境研究与实现[D].中国科学院研究生院,2006
[28]Stefan B, Ramon B, Kenneth G, et al. Virtualizing the Trusted Platform Module[C]. In:Proceedings of the 15th USENIX Security Symposium. Vancouver, CANADA. 2006:305-320.
[29]Scarlata V, Rozas C, Wiseman M, et al. TPM Virtualization:Building a General Framework[C]. Trusted Computing,2008:43-56.
[30]Chan E, Dillon T S, Dillon, et al. Trust and reputation for service-oriented environments:Technologies for building business intelligence and consumer confidence[C]. chang2006trust, wiley,2006.
[31]Xue J, Zhang J J. A Brief Survey on the Security Model of Cloud Computing[C].2010 Ninth International Symposium on Distributed Computing and Applications to Business, Engineering and Science,2010:475-478.
[32]Huang H H, Grimshaw A S. Design, implementation and evaluation of a virtual storage system[J]. Concurrency and Computation:Practice and Experience, (2011):311-331.
[33]Ye L, Lu G, Kumar S, et al. Energy-Efficient Storage in Virtual Machine Environments[J]. ACM SIGPLAN Notices,2010,45(7):75-84.
[34]{Raiyat Aliabadi M, Reza Ahmadi M. A Proposed Storage Virtualization Architecture for Efficient Information Management [C]. New Trends in Information Science and Service Science (NISS),2010 4th International Conference on IEE,2010:536-543.
[35]Dong Y, Dai J, Guan H. Towards high-quality I/O virtualization[C]. Proceedings of SYSTOR 2009:The Israeli Experimental Systems Conference,2009:12-17.
[36]Rezaei M, Moosavi N S, Nemati H, et al. TCvisor:A hypervisor level secure storage[C].2010 International Conference for Internet Technology and Secured Transactions,2010:1-9.
[37]何宗键,张惠娟.基于Windows内核的“操作系统”课程实验平台设计与建设[J].计算机教育,2009(14):35-38.
[38]陈向群,马洪兵,王雷等.Windows内核实验教程[M].北京:机械工业出版社,2009.
[39]杨梅,吴钦章. WindowsNT核心层网络通信技术研究[J].计算机应用,2002(12):61-67.
[40]朱涛江,卢昱,王宇.基于TDI的网络安全存储系统研究与实现[J].华中科技大学学报(自然科学版),2003(10):82-84.
[41]金玉荣,杨奕. Windows TDI通信监控的一种hook方法[J].网络与信息,2009(06):38-39.
[42]Lewis A J. Logical volume management. http://tldp.org/HOWTO/LVM-HOWTO/
[43]Device Mapper. http://sourceware.org/dm/
[44]Dierks T, Rescorla E. The Transport Layer Security (TLS) protocol version1.1[S/OL]. Internet engineering task force. Network Working Group RFC 4346 (2006). http://www.ietf.org/rfc/rfc4346.txt.
[45]Kent S, Seo K. Security architecture for the Internet Protocol, Internet engineering task force[S/OL]. Network Working Group RFC 4346, Obsoletes:RCF2401 (2005). http://www.ietf.org/rfc/rfc4301.txt.
[2]Weiss A. Computing in the Clouds [J]. Network of ACM,2007,11(4):16-25.
[3]Vaquero L M, Rodero-Merino L, Caceres J, et al. A Break in the Clouds:Towards a Definition. ACM SIGCOMM Computer Communication Review,2008,39(1):50-55
[4]Barham P, Dragovic B, Fraser K, et al. Xen and the art of virtual izat ion [J]. ACM SIGOPS Operating Systems Review,2003,37(5):164-177.
[5]Google File System. http://labs.google.com/papers/gfs.html
[6]The Apache Hadoop Project. http://hadoop.apache.org/
[7]Amazon S3 service. http://aws.amazon.com/s3/
[8]Amazon EC2 service. http://aws.amazon.com/ec2/
[9]Flouris M D, Lachaize R, Chasapis K, et al. Extensible block-level storage virtualization in cluster-based systems[J]. Journal of Parallel and Distributed Computing, (2010):800-824.
[10]Antos N, Gummadi K P and Rodrigues R. Towards trusted cloud computing[C]. Proceedings of the 2009 conference on Hot topics in cloud computing,2009:50-55.
[11]Gao X, Lowe M, Ma Y, et al. Supporting Cloud Computing with the Virtual Block Store System[C].2009 Fifth IEEE International Conference on e-Science,2009:208-215.
[12]Khn U, Kursawe K, Lucks S, et al. Secure Data Management in Trusted Computing [J]. Cryptographic Hardware and Embedded Systems, (2005):324-338.
[13]National Security Agency. http://www.nsa.gov/
[14]Trusted Computing Group application fields. http://www.Trustedcomputing group.org.
[15]Cabuk S, Chen L Q, Plaquin D, et al. Trusted Integrity Measurement and Reporting for Virtualized Platforms[C]. In Proceedings of INTRUST,2009:180-196.
[16]Thibadeau R, Willett M. Trusted Storage:Focus on Use Cases[C]. In Proceedings of Security and Management,2006:515-521.
[17]Liu Z B, Qu W J, Li K Q, et al. Object Oriented Property Attestation for Trusted Storage[C]. In Proceedings of CIT (2),2009:93-97
[18]Wang D, Feng D. A Hypervisor-Based Secure Storage Scheme[C].2010 Second International Conference on Networks Security,2010:81-87.
[19]Chi Y P, Shen X D, Fang Y. An Improved Sealing Scheme for Trusted Storage[C]. Computational Intelligence and Software Engineering,2009:1-4.
[20]袁亚.基于可信计算技术的嵌入式安全终端的研究与实现[D].华东师范大学硕士学位论,2007.
[21]Gallery E, Chris J. Trusted Computing:Security and Applications[J]. Cryptologia, 2009,33(3):217-245
[22]张焕国,罗捷,金刚等.可信计算机技术与应用综述[J].计算机安全,2006,6(6):8-12
[23]Santos N, Gummadi K P, and Rodrigues R. Towards Trusted Cloud Computing[C]. In USENIX HotCloud,2009:3-3.
[24]冯登国,秦宇,汪丹等.可信计算技术研究[J].计算机研究与发展,2011,8:12-17
[25]Yu R W, Wang L N, Ma X Y, et al. A Direct Anonymous Attestation Protocol Based on Hierarchical Group Signature. IEEE Computer Society,2009(2):721-726.
[26]陈晓峰.可信平台模块的形式化分析和测试[J].软件学报,2009,2(2):29-31.
[27]徐娜.基于可信赖计算平台的可信执行环境研究与实现[D].中国科学院研究生院,2006
[28]Stefan B, Ramon B, Kenneth G, et al. Virtualizing the Trusted Platform Module[C]. In:Proceedings of the 15th USENIX Security Symposium. Vancouver, CANADA. 2006:305-320.
[29]Scarlata V, Rozas C, Wiseman M, et al. TPM Virtualization:Building a General Framework[C]. Trusted Computing,2008:43-56.
[30]Chan E, Dillon T S, Dillon, et al. Trust and reputation for service-oriented environments:Technologies for building business intelligence and consumer confidence[C]. chang2006trust, wiley,2006.
[31]Xue J, Zhang J J. A Brief Survey on the Security Model of Cloud Computing[C].2010 Ninth International Symposium on Distributed Computing and Applications to Business, Engineering and Science,2010:475-478.
[32]Huang H H, Grimshaw A S. Design, implementation and evaluation of a virtual storage system[J]. Concurrency and Computation:Practice and Experience, (2011):311-331.
[33]Ye L, Lu G, Kumar S, et al. Energy-Efficient Storage in Virtual Machine Environments[J]. ACM SIGPLAN Notices,2010,45(7):75-84.
[34]{Raiyat Aliabadi M, Reza Ahmadi M. A Proposed Storage Virtualization Architecture for Efficient Information Management [C]. New Trends in Information Science and Service Science (NISS),2010 4th International Conference on IEE,2010:536-543.
[35]Dong Y, Dai J, Guan H. Towards high-quality I/O virtualization[C]. Proceedings of SYSTOR 2009:The Israeli Experimental Systems Conference,2009:12-17.
[36]Rezaei M, Moosavi N S, Nemati H, et al. TCvisor:A hypervisor level secure storage[C].2010 International Conference for Internet Technology and Secured Transactions,2010:1-9.
[37]何宗键,张惠娟.基于Windows内核的“操作系统”课程实验平台设计与建设[J].计算机教育,2009(14):35-38.
[38]陈向群,马洪兵,王雷等.Windows内核实验教程[M].北京:机械工业出版社,2009.
[39]杨梅,吴钦章. WindowsNT核心层网络通信技术研究[J].计算机应用,2002(12):61-67.
[40]朱涛江,卢昱,王宇.基于TDI的网络安全存储系统研究与实现[J].华中科技大学学报(自然科学版),2003(10):82-84.
[41]金玉荣,杨奕. Windows TDI通信监控的一种hook方法[J].网络与信息,2009(06):38-39.
[42]Lewis A J. Logical volume management. http://tldp.org/HOWTO/LVM-HOWTO/
[43]Device Mapper. http://sourceware.org/dm/
[44]Dierks T, Rescorla E. The Transport Layer Security (TLS) protocol version1.1[S/OL]. Internet engineering task force. Network Working Group RFC 4346 (2006). http://www.ietf.org/rfc/rfc4346.txt.
[45]Kent S, Seo K. Security architecture for the Internet Protocol, Internet engineering task force[S/OL]. Network Working Group RFC 4346, Obsoletes:RCF2401 (2005). http://www.ietf.org/rfc/rfc4301.txt.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |