可信移动计算环境体系结构及关键技术研究
|
摘要
计算平台安全是移动办公领域倍受关注的首要问题。企业往往提供SOA,Web Services等在线服务平台来满足员工的移动办公需求,在这种移动办公模式中,平台环境的安全可信是前提条件。另外,由于各计算平台配置环境的多样性和独立性,极可能出现所需应用软件的缺失,导致移动办公无法开展。而一个配置完善且安全可信的平台环境是移动办公顺利开展的必要前提。基于以上考虑,提出了基于可信计算理论,虚拟机技术和安全虚拟执行环境(SVEE)的可信移动计算环境(TPCE)。
TPCE由可信硬件、虚拟执行环境和可信应用组成。TPCE保证了用户操作和数据资源的安全性,实现了应用程序及个人设置的移动性,防止了非可信宿主环境对平台的攻击,同时,其执行过程不会在宿主PC上留下任何痕迹。提出了TPCE的体系结构、分层模型和信任模型,并对相应的关键技术进行了详尽的分析和阐述。
硬件级的安全策略能从根本上保证计算环境的安全可信。为了增强TPCE体系结构的安全性和可信性,针对小型移动智能设备的特点,采用智能卡技术构建了可信移动安全基(TPSB)。以TPSB为基础,借鉴可信计算理论和信息流的无干扰模型,建立了TPCE的信任模型,并深入分析了此信任模型中的关键部件、密钥管理以及信任的度量和传递机制。重点研究了基于硬件虚拟化的隔离模型、面向应用虚拟化的安全执行环境和零启动状态下文件管理的安全特性及机制,提出了可信虚拟机控制器(TVMM)、基于BLP的访问控制模型和安全执行环境的理论模型,并结合进程动态可信隔离模型,提出动态可信防护系统来实现TPCE及其应用程序的动态可信性和安全性。移动存储设备的安全问题一直是信息安全领域关注的焦点。在TPCE零启动状态下,为了实现保密文件的安全管理,结合TNC、GAP等相关理论,提出了全新的基于数据摆渡的安全数据交换模型,并针对智能卡PIN码的输入以及认证的安全问题,提出了基于图片干扰的PIN认证方法,有效防止了恶意程序对PIN码的攻击。同时,为了解决不同可信移动计算设备(TPCD)间存在的兼容性问题,设计出一种在标准数据接口实现智能卡控制指令传输的方法和协议,使TPCD在通用的USB2.0接口上进行免驱识别及运行。
最后,基于以上理论和方法,初步实现了TPCE原型系统。
Ensuring the security of computing platform is the most important issue in Mobile Office field. The reason is that enterprises use SOA, Web Services, and other online service platforms to provide mobile office for employees in different workplaces.In such workplaces, a secure and trusted platform is the prerequisite for providing mobile office. In addition, due to the diversity and independence between different computing platforms, certain required software applications may be missing and hinder the smooth provisioning of Mobile Office. Hence, a well-equipped, secure, and trusted platform is the prerequisite for providing Mobile Office. Based on the preceding considerations, we propose the Trusted Portable Computing Environment (TPCE) derived from Trusted Computing Theory, Virtual Machine Technology, and Secure Virtual Execution Environment (SVEE).
TPCE is composed of trusted hardware, virtual execution environment, and trusted applications. TPCE, whose implementation does not leave any traces on the host PC, ensures the security of user operation and data resources, achieves the mobility of applications and personal settings, and protects against the attacks from untrusted host environments. The layered architecture and the trust model of TPCE are advanced, whose corresponding key technologies are analyzed elaborately.
Hardware-level security policy guarantees the security and credibility of computing environments fundamentally. Hence, the smart card technology is adopted to build a Trusted Portable Security Base (TPSB) focusing on the characteristics of small mobile intelligent devices, thus enhancing the security and credibility of TPCE architecture. Based on TPSB, we establish the trust model of TPCE Drawing on Trusted Computing Theory and noninterference model of information flow. Then, the essential components, management of keys, measurement, and transmission mechanism evolved in this trust model are analyzed in detail. This paper focuses on security features and mechanisms of hardware virtualization-based isolation model, application virtualization-based SVEE, and file management in zero-start state. We propose a trusted virtual machine monitor (TVMM), a BLP-based access control model, and a theoretical model of the SVEE. We also put forward a Dynamic Trusted Protection System to ensure the dynamic credibility and security of TPCE and to implement its applications according to dynamic trusted isolation model of threads.
Ensuring the security of mobile storage devices have always been the focus in the information security field. Hence, a data ferrying security model is presented to ensure the security of confidential documents in the zero-start state of TPCE, based on the TNC and GAP theory. Meanwhile, aiming at the security of PIN's I/O and authentication using smart cards, we propose a PIN authentication method based on Graphics Interference to protect against malicious attacks on PINs. We also design a transmission method and protocol of control instruction on standard data interfaces for smart cards to address compatibility issues between different Trusted Portable Computing Devices (TPCD). In this manner, TPCD is easily identified and works smoothly on common USB2.0 interfaces.
In the end, a prototype system for TPCE is initially completed based on the above theory and methods.
TPCE由可信硬件、虚拟执行环境和可信应用组成。TPCE保证了用户操作和数据资源的安全性,实现了应用程序及个人设置的移动性,防止了非可信宿主环境对平台的攻击,同时,其执行过程不会在宿主PC上留下任何痕迹。提出了TPCE的体系结构、分层模型和信任模型,并对相应的关键技术进行了详尽的分析和阐述。
硬件级的安全策略能从根本上保证计算环境的安全可信。为了增强TPCE体系结构的安全性和可信性,针对小型移动智能设备的特点,采用智能卡技术构建了可信移动安全基(TPSB)。以TPSB为基础,借鉴可信计算理论和信息流的无干扰模型,建立了TPCE的信任模型,并深入分析了此信任模型中的关键部件、密钥管理以及信任的度量和传递机制。重点研究了基于硬件虚拟化的隔离模型、面向应用虚拟化的安全执行环境和零启动状态下文件管理的安全特性及机制,提出了可信虚拟机控制器(TVMM)、基于BLP的访问控制模型和安全执行环境的理论模型,并结合进程动态可信隔离模型,提出动态可信防护系统来实现TPCE及其应用程序的动态可信性和安全性。移动存储设备的安全问题一直是信息安全领域关注的焦点。在TPCE零启动状态下,为了实现保密文件的安全管理,结合TNC、GAP等相关理论,提出了全新的基于数据摆渡的安全数据交换模型,并针对智能卡PIN码的输入以及认证的安全问题,提出了基于图片干扰的PIN认证方法,有效防止了恶意程序对PIN码的攻击。同时,为了解决不同可信移动计算设备(TPCD)间存在的兼容性问题,设计出一种在标准数据接口实现智能卡控制指令传输的方法和协议,使TPCD在通用的USB2.0接口上进行免驱识别及运行。
最后,基于以上理论和方法,初步实现了TPCE原型系统。
Ensuring the security of computing platform is the most important issue in Mobile Office field. The reason is that enterprises use SOA, Web Services, and other online service platforms to provide mobile office for employees in different workplaces.In such workplaces, a secure and trusted platform is the prerequisite for providing mobile office. In addition, due to the diversity and independence between different computing platforms, certain required software applications may be missing and hinder the smooth provisioning of Mobile Office. Hence, a well-equipped, secure, and trusted platform is the prerequisite for providing Mobile Office. Based on the preceding considerations, we propose the Trusted Portable Computing Environment (TPCE) derived from Trusted Computing Theory, Virtual Machine Technology, and Secure Virtual Execution Environment (SVEE).
TPCE is composed of trusted hardware, virtual execution environment, and trusted applications. TPCE, whose implementation does not leave any traces on the host PC, ensures the security of user operation and data resources, achieves the mobility of applications and personal settings, and protects against the attacks from untrusted host environments. The layered architecture and the trust model of TPCE are advanced, whose corresponding key technologies are analyzed elaborately.
Hardware-level security policy guarantees the security and credibility of computing environments fundamentally. Hence, the smart card technology is adopted to build a Trusted Portable Security Base (TPSB) focusing on the characteristics of small mobile intelligent devices, thus enhancing the security and credibility of TPCE architecture. Based on TPSB, we establish the trust model of TPCE Drawing on Trusted Computing Theory and noninterference model of information flow. Then, the essential components, management of keys, measurement, and transmission mechanism evolved in this trust model are analyzed in detail. This paper focuses on security features and mechanisms of hardware virtualization-based isolation model, application virtualization-based SVEE, and file management in zero-start state. We propose a trusted virtual machine monitor (TVMM), a BLP-based access control model, and a theoretical model of the SVEE. We also put forward a Dynamic Trusted Protection System to ensure the dynamic credibility and security of TPCE and to implement its applications according to dynamic trusted isolation model of threads.
Ensuring the security of mobile storage devices have always been the focus in the information security field. Hence, a data ferrying security model is presented to ensure the security of confidential documents in the zero-start state of TPCE, based on the TNC and GAP theory. Meanwhile, aiming at the security of PIN's I/O and authentication using smart cards, we propose a PIN authentication method based on Graphics Interference to protect against malicious attacks on PINs. We also design a transmission method and protocol of control instruction on standard data interfaces for smart cards to address compatibility issues between different Trusted Portable Computing Devices (TPCD). In this manner, TPCD is easily identified and works smoothly on common USB2.0 interfaces.
In the end, a prototype system for TPCE is initially completed based on the above theory and methods.
引文
[1]刘威鹏,胡俊,方艳湘等.基于可信计算的终端安全体系结构研究与进展.计算机科学,2007,34(10):257-264
[2]Chan, J. N., S. Moreland. User-Controlled Collaborations in the Context of Trust Extended Environments. In:The 16th IEEE International Workshops on Enabling Technologies:Infrastructure for Collaborative Enterprises (WETICE 2007). Washington:IEEE Computer Society,2007.389-394
[3]T. Garfinkel, B. Pfaff, J. Chow, et al. Terra:A Virtual Machine-Based Platform for Trusted Computing. In:The 9th ACM Symposium on Operating Systems Principles. New York:ACM,2003.193-206
[4]P. Kwan and G Durfee. Practical Uses of Virtual Machines for Protection of Sensitive User Data. In:Information Security Practice and Experience-Third International Conference (ISPEC 2007). Berlin:Springer Verlag,2007.145-161
[5]VMware. Vmware products. From:http://www.vmware.com/products
[6]Microsoft. Microsoft virtual pc 2004. From: http://www.microsoft.com/windows/virtualpc/default.mspx
[7]A. Whitaker, M. Shaw, and S. D. Gribble. Denali:Lightweight virtual machines for distributed and networked applications.In:The 5th USENIX Symposium on Operating Systems Design and Implementation (Boston, MA).195-209
[8]P. Barham, B. Dragovic and K. Fraser. Xen and the art of virtualization. In:The nineteenth ACM symposium on Operating systems principles. New York:ACM, 2003.164-177
[9]C. A. Waldspurger. Memory resource management in vmware esxserver. In:The Fifth Symposium on Operating Systems Design and Implementation (OSDI'02). Berkeley:USENIX Assoc,2002.181-194
[10]Takahiro Shinagawa, Hideki Eiraku, Kouichi Tani-moto. BitVisor:A Thin Hypervisor for Enforcing I/O Device Security. In:The 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments(VEE'09). New York:Association for Computing Machinery,2009. 121-130
[11]P. Kamp and R. Watson. Jails:Confining the omnipotent root. In:The 2nd
International SANE Conference,2000.
[12]H. Potzl. Linux-vserver technology. From: http://linux-vserver.org/Linux-VServer-Paper,2004.
[13]B. Alpern, J. Auerbach, V. Bala. Pds:A virtual execution environment for softwaredeployment. In:The First ACM/USENIX International Conference on Virual Execution Environments(VEE 05). Association for Computing Machinery, 2005.175-185
[14]Injung Kim, Min Kyung Hwang, Woojoong Lee. u-PC:personal workspace on a portable storage. In:The 4th Intl. Conf. on Mobile Technology, Applications and Systems(Mobility 2007). New York:ACM,2007.220-225
[15]AppStream. Appstream technology overview. From: http://www.appstream.com/products-technology.html.
[16]Thinstall. Application virtualization:A technical overview of thethinstall application virtualization platform. From: https://thinstall.com/products/documents/ThinstallTechnicalOverview V1Feb06.pdf.
[17]Z. Liang, V. Venkatakrishnan, and R. Sekar. Isolated program execution:An application transparent approach for executinguntrusted programs. In:The 19th Annual ComputerSecurity Applications Conference. Washington:IEEE Computer Society,2003.182-191
[18]W. Sun, Z. Liang, V. Venkatakrishnan, and R. Sekar. One-way isolation:An effective approach for realizing safe execution environments. In:The 12th Annual Network and Distributed System Security Symposium.2005.
[19]Wine. Wine user guide. From: http://www.winehq.com/site/docs/wineusr-guide/index.
[20]James, P. Secure Portable Execution Environments:A Review of Available Technologies. In:The 6th Australian Information Security Conference. Perth,2008. 70-86
[21]Ministry of Home Affairs Singapore. In:The 15th annual government ware securing intelligent enterprises (GovWare'06), Singapore,2006.
[22]Caceres R, Carter C, Narayanaswami C. Reincarnating PCs with portable SoulPads. In:The 3rd international conference on mobile systems, applications, and services (MobiSys'05). New York:ACM,2005.65-78.
[23]Rees J, Honeyman P. Webcard:a Java card web server.In:The 4th working conference on smart card research and advanced application (Cardis'00).2000. 197-208.
[24]Garfinkel T, Rosenblum M. A virtual machine introspection-based architecture for intrusion detection. In:The Network and Distributed Systems Security Symp. The Internet Society,2003.191-206
[25]Dunlap GW, King ST, Cinar S, Basrai MA, Chen DM. ReVirt:Enabling intrusion analysis through virtual-machine logging and replay. In:The 5th symposium on Operating systems design and implementation. New York:ACM press,2002. 211-224
[26]杨柳青.硬件虚拟机Xen的研究和性能优化:[硕士学位论文].浙江:浙江大学,2008.
[27]Shi E,Perrig A,Van Doom L. Bind:a fine-grained attestation service for secure distributed systems. In:The IEEE Symposium on Security and Privacy. Oakland: Institute of Electrical and Electronics Engineers Inc,2005.154-168
[28]Stefan Berger, Ramon Caceres, and Kenneth Goldman. vTPM-Virtualizing the Trusted Platform Module. In:The 15th Usenix Security Symposium. Vancouver, Canada,2006.21-22
[29]Michael Peter, Henning Schild, Adam Lackorzynski. Virtual machines jailed: virtualization in systems with small trusted computing bases. In:The 1st EuroSys Workshop on Virtualization Technology for Dependable SysteMS (VTDS 2009). New York:Association for Computing Machinery,2009.18-23
[30]L. Singaravelu, C. Pu, C. Helmuth. Reducing TCB complexity for security-sensitive applications:three case studies. In:The 1st ACM SIGOPS/EuroSys European Conference on Computer Systems. New York:ACM,2006.161-174
[31]Kurniadi Asrigo, Lionel Litty, David Lie. Using VMM-based sensors to monitor honeypots. In:The 2nd international conference on Virtual execution environments. New York:ACM Press,2006.13-23
[32]Stephen T. Jones, Andrea C. Arpaci-Dusseau, Remzi H. Arpaci-Dusseau. VMM-based hidden process detection and identification using Lycosid. In:The fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments. New York:ACM,2008.91-100
[33]Jisoo Yang, Kang G Shin. Using hypervisor to provide data secrecy for user applications on a per-page basis. In:The fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments. New York:ACM,2008.
71-80
[34]Derek Gordon Murray, Grzegorz Milos, Steven Hand. Improving Xen security through disaggregation. In:The fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments. New York:ACM,2008.151-160
[35]VMWare. Vmware esx server virtual infrastructure node evaluator's guide, November 2005. From:http://www.vmware.com/pdf/esx_vin_eval.pdf.
[36]Arvind Seshadri, Mark Luk, Ning Qu, et al. Sec Visor:a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In:The twenty-first ACM SIGOPS symposium on Operating systems principles. New York:ACM,2007. 335-350
[37]颜文波.可信平台中基于属性的远程证明系统:[硕士学位论文].武汉:华中科技大学,2007.
[38]T. Eisenbarth, T. Guneysu, C. Paar, et al. Reconfigurable Trusted Computing in Hardware. In:The 2nd ACM workshop on Scalable Trusted Computing(STC'07). New York:ACM,2007.15-20
[39]V. Costan, L. F. G Sarmenta, M. van Dijk, et al. The Trusted Execution Module: Commodity General-Purpose Trusted Computing. In:The 8th IFIP WG 8.8/11.2 International Conference (CARDIS 2008). Berlin:Springer-Verlag,2008.133-148
[40]Klaus Kursawe, Dries Schellekens. Flexible μTPMs through disembedding. In:The 4th International Symposium Information, Computer, and Communications Security. New York:ACM,2009.116-124
[41]Dong-Guk Han, Tsuyoshi Takagi and Jongin Lim. Further Security Analysis of XTR. In:The Information Security Practice and Experience:Second International Conference(ISPEC 2006). New York:Springer,2006.33-34
[42]赵佳.可信认证关键技术研究:[博士学位论文].北京:北京交通大学,2008
[43]WANG Zehui, ZHANG Zhiguo. XTR+:A provable secure public key cryptosystem. In:The 2006 International Conference on Computational Intelligence and Security(ICCIAS 2006). United States:Inst. of Elec. and Elec. Eng. Computer Society,2007.1359-1362
[44]王泽辉.基于6阶LFSR序列的可证明安全性公钥密码体制.计算机研究与发展,2006,43(Sup):232-238
[45]王泽辉.基于8阶LFSR序列的可证明安全性公钥密码体制.中山大学学报(自然科学版),2008,47(5):28-32
[46]赵佳,韩臻,刘吉强等.XTR体制下基于身份特征的数字签名算法.信号处理,2009,25(3):498-502
[47]赵佳,沈昌祥,刘吉强等.基于无干扰理论的可信链模型.计算机研究与发展,2008,45(06):974-980
[48]毛丰江,温希东.智能卡攻击技术与安全策略的研究.计算机工程与设计,2006,27(13):2396-2399.
[49]Rosenblum M, Garfnkel T. Virtual machine monitors:current technology and future trends. IEEE Comput. Soc,2005,38(5):39-47
[50]卢勇.反病毒虚拟机的研究与实现:[硕士学位论文].成都:电子科技大学,2007
[51]R. P. Goldberg. Survey of virtual machine research. Computer,1974,7(6):34-35
[52]G.J. Popek, R. P. Goldberg. Formal requirements for virtualizable third-generation architectures. Communications of the ACM,1974,17(7):412-421
[53]R. Sailer, E. Valdez, T. Jaeger, R. Perez. sHype:Secure hypervisor approach to trusted virtualized systems. Technical Report RC23511, IBM,2005
[54]B. Payne, M. Carbone, W. Lee. Secure and Flexible Monitoring of Virtual Machines. In:The 23rd Annual Computer Security Applications Conference(ACSAC 2007). United States:IEEE Computer Society,2007.385-397
[55]温研,王怀民.基于本地虚拟化技术的隔离执行模型研究.计算机学报,2008,31(10):1769-1779
[56]Whitaker A, Shaw M, Gribble S D. Denali:A scalable isolation kernel. In:The 10th workshop on ACM SIGOPS European workshop. New York:ACM,2002.10-15
[57]Whitaker A, Shaw M, Gribble S D. Scale and performance in the denali isolation kernel. In:The 5th symposium on Operating systems design and implementation. New York:ACM Press,2002.195-206
[58]Whitaker A, Cox R S. Constructing services with interposable virtual hardware. In: The 1st conference on Symposium on Networked Systems Design and Implementation. Berkeley, CAUSA:USENIX Association,2004.13-26
[59]Figueiredo R J, Dinda P A, Fortes J A. A case for grid computing on virtual machines. In:The 23th International Conference on Distributed Computing Systems (ICDCS'03). Washington, DC USA:IEEE Computer Society,2003.550-559
[60]Santhanam S, Elango P. Deploying virtual machines as sandboxes for the grid. In: The 2nd Workshop on Real, Large Distributed Systems. Berkeley, CAUSA: USENIX Association,2005.7-12
[61]Krsul I, Ganguly A. VMPlants:Providing and managing virtual machine execution environments for grid computing. In:The ACM/IEEE Supercomputing 2004 Conference (SC'04). Washington, D. C., USA:IEEE Computer Society,2004.7
[62]Waldspurger C A. Memory resource management in VMware ESX server. In:The 5th Symposium on Operating Systems Design and Implementation (OSDI'02). New York, USA:ACM Press,2002.181-194
[63]Zhao X, Borders K, Prakash A. S VGrid:A secure virtual environment for untrusted grid applications. In:The ACM/IFIP/USENIX 6th International Middleware Conference. New York:ACM,2005.1-6
[64]Bellard F. QEMU, a fast and portable dynamic translator. In:The USENIX Annual Technical Conference (USENIX'05). Berkeley, CAUSA:USENIX Association, 2005.41-46
[65]Sugerman J, Venkitachalam G, Lim B H. Virtualizing I/O devices on VMware workstation's hosted virtual machine monitor. In:The 2001 USENIX Annual Technical Conference. Berkeley, CAUSA:USENIX Association,2001.1-14
[66]武海燕,谭成翔,汪海航.BLP在网络隔离系统中的应用研究.计算机工程与应用,2007,43(15):6-11
[67]Chuliang Weng, Yuan Luo, Minglu Li, et al. A BLP-Based Access Control Mechanism for the Virtual Machine System. In:The 9th International Conference for Young Computer Scientists(ICYCS 2008). NJ, USA:Inst. of Elec. and Elec. Eng. Computer Society,2008.2278-2282
[68]Xiaoxin Chen, Tal Garfinkel, E. Christopher Lewis. Overshadow:a virtualization-based approach to retrofitting protection in commodity operating systems. In:The 13th international conference on Architectural support for programming languages and operating systems. New York, USA:Association for Computing Machinery,2008.2-13
[69]Vinod Ganapathy, Matthew J. Renzelmann, Arini Balakrishnan. The design and implementation of microdrivers. In:The 13th international conference on Architectural support for programming languages and operating systems. New York, USA:ACM,2008.168-178
[70]B. Lampson, M. Abadi, M. Burrows, et al. Authentication in distributed systems: Theory and practice. ACM Trans. Comp. Sys.,1992,10(4):265-310
[71]E. Wobber, M. Abadi, M. Burrows, and B. Lampson. Authentication in the Taos operating system. ACM Trans. Comp. Sys.,1994,12(1):3-32
[72]V. Haldar, D. Chandra, M. Franz. Semantic remote attestation:A virutal machine directed approach to trusted computing. In:The 3rd virtual machine research and technology symposium. Berkeley:USENIX Association,2004.29-41
[73]A. R. Sadeghi, C. Stuble. Property-based attestation for coumputing platforms: Caring about properties, not mechanisms. In:The 2004 Workshop on New Security Paradigms. New York:ACM Press,2004.67-77
[74]L. Chen, R. Landfermann. A Protocol for Property-Based Attestation. In:The first ACM workshop on Scalable trusted coumputing. New York, USA:ACM Press, 2006.7-16
[75]From:http://tejasconsulting.com/open-testware/feature/installwatch.html.
[76]Hunt, Galen and Doug Brubacher. Detours:Binary Interception of Win32 Functions. In:The Third USENIX Windows NT Symposium. Berkeley, CAUSA:USENIX Association,1999.14-14
[77]曹四化.基于用户意愿的访问控制模型研究与实现:[硕士学位论文].长沙:国防科学技术大学,2006
[78]P. England, B. Lampson, J. Manferdelli, et al. A trusted open platform. IEEE Computer,2003,36(7):55-63
[79]A.-R. Sadeghi and C. Stuble. Taming "trusted computing" by operating system design. Information Security Applications. Berlin Germany:Springer-Verlag,2003. 286-302
[80]U. Kuhn, K. Kursawe, S. Lucks, et al. Secure data management in trusted computing. In:The Workshop on Cryptographic Hardware and Embedded Systems (CHES 2005). Berlin Germany:Springer-Verlag,2005.324-338
[81]International Standard ISO/IEC 15408[S].2001.
[82]Trusted computing group. TCG specification architecture overview[EB/OL]. From: https://www.trustedcomputinggroup.org/groups/ TCG_1_2_Architecture_Overview.pdf.
[83]RUSHBY J. Noninterference, Transitivity, and Channel-Control Security Policies. CSL-92-02, Menlo Park:Stanford Research Institute,1992.
[84]张兴,陈幼雷,沈昌祥.基于进程的无干扰可信模型.通信学报,2009,(03):6-11
[85]BARRANTES, E. G, ACKLEY, D. H., et al. Randomized instruction set emulation. ACM Transactions on Information System Security,2005,8(1):3-40
[86]KC, G S., KEROMYTIS, et al. Countering code-injection attacks with instruction-set randomization. In:The 10th ACM Conference on Computer and Communications Security. New York, USA:ACM Press,2003.272-280
[87]LAWTON, K. P. Bochs:A portable pc emulator for Unix/X. Linux J,1996, 1996(29es):7-es
[88]NETHERCOTE, N. Dynamic binary analysis and instrumentation. Tech. Rep. UCAM-CL-TR-606, University of Cambridge, Computer Laboratory, Nov.2004.
[89]SCOTT, K., KUMAR, et al. Retargetable and reconfigurable software dynamic translation. In:The International Symposium on Code Generation and Optimization. Los Alamitos, CA, USA:IEEE Computer Society,2003.36-47
[90]SCOTT, K., DAVIDSON. Strata:A software dynamic translation infrastructure. Technical Report:CS-2001-17. Charlottesville, VAUSA:University of Virginia, 2001.
[91]W. Hu, J. Hiser, D. Williams, et al. Secure and practical defense against code-injection attacksusing software dynamic translation.In:The 2nd international conference on Virtual execution environments. New York, USA:ACM Press,2006. 2-12
[92]BUS, B. D., SUTTER, B. D., PUT, L. V. Link-time optimization of ARM binaries. In:The 2004 ACM SIGPLAN/SIGBED conference on Languages, compilers, and tools for embedded systems. New York, USA:ACM Press,2004.211-220
[93]THE COMMITTEE ON NATIONAL SECURITY SYSTEMS, T. C. National policy on the use of the advanced encryption standard (AES) to protect national security systems and national security information. Tech. rep., National Security Agency, USA,2003.
[94]LU Zhenyu, PAN Li, NI Yousheng. An Implementation Method of Secure Isolation and Data Exchange Based on USB. Computer Engineering,2006,32(3):158-160
[95]YI Yong. Research on Theory and Technology in Physical Isolation System and Its Application in Netwroked Manufacturing Environment:[PhD thesis]. Wuhan, China: Huazhong University of Science and Technology,2004
[96]Trusted Computing Group. TCG trusted Network Connect TNC architecture for interoperability specification Revision 1.0. From: http://www.trustedcomputinggroup.org/developers/trusted_network_connect/specifi cations.
[97]E.bertino, PA Bonatti, and E.Ferrari. TRBAC:A Temporal Role-Based Access Control Model.In:The 5th ACM Workshop on Role-based Access Control. New York:ACM Press,2000.21-30
[98]Joshi JBD, Bertino E, Ghafoor A. Temporal hierarchy and inheritance semantics for GTRBAC. In:The 7th ACM Symp. on Access Control Models and Technologies. New York:ACM Press,2002.74-83
[99]林宏刚.可信网络连接若干关键技术研究:[博士学位论文].成都:四川大学,2006
[100]Liu He, Zhang Yong-zheng, Yu Zong. Research on Management of USB Storage Device Based on Trusted Network Connect (TNC) Architecture. Microcomputer Information,2008,24(5-3):90-92
[101]彭双和.信息系统认证体系结构及相关技术研究:[博士学位论文].北京:北京交通大学,2006
[102]M.Burrows, M. Abadi, and R.M.Needham. A Logic of Authentication. ACM Transaction on Computer System,1990,8(1):18-36
[2]Chan, J. N., S. Moreland. User-Controlled Collaborations in the Context of Trust Extended Environments. In:The 16th IEEE International Workshops on Enabling Technologies:Infrastructure for Collaborative Enterprises (WETICE 2007). Washington:IEEE Computer Society,2007.389-394
[3]T. Garfinkel, B. Pfaff, J. Chow, et al. Terra:A Virtual Machine-Based Platform for Trusted Computing. In:The 9th ACM Symposium on Operating Systems Principles. New York:ACM,2003.193-206
[4]P. Kwan and G Durfee. Practical Uses of Virtual Machines for Protection of Sensitive User Data. In:Information Security Practice and Experience-Third International Conference (ISPEC 2007). Berlin:Springer Verlag,2007.145-161
[5]VMware. Vmware products. From:http://www.vmware.com/products
[6]Microsoft. Microsoft virtual pc 2004. From: http://www.microsoft.com/windows/virtualpc/default.mspx
[7]A. Whitaker, M. Shaw, and S. D. Gribble. Denali:Lightweight virtual machines for distributed and networked applications.In:The 5th USENIX Symposium on Operating Systems Design and Implementation (Boston, MA).195-209
[8]P. Barham, B. Dragovic and K. Fraser. Xen and the art of virtualization. In:The nineteenth ACM symposium on Operating systems principles. New York:ACM, 2003.164-177
[9]C. A. Waldspurger. Memory resource management in vmware esxserver. In:The Fifth Symposium on Operating Systems Design and Implementation (OSDI'02). Berkeley:USENIX Assoc,2002.181-194
[10]Takahiro Shinagawa, Hideki Eiraku, Kouichi Tani-moto. BitVisor:A Thin Hypervisor for Enforcing I/O Device Security. In:The 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments(VEE'09). New York:Association for Computing Machinery,2009. 121-130
[11]P. Kamp and R. Watson. Jails:Confining the omnipotent root. In:The 2nd
International SANE Conference,2000.
[12]H. Potzl. Linux-vserver technology. From: http://linux-vserver.org/Linux-VServer-Paper,2004.
[13]B. Alpern, J. Auerbach, V. Bala. Pds:A virtual execution environment for softwaredeployment. In:The First ACM/USENIX International Conference on Virual Execution Environments(VEE 05). Association for Computing Machinery, 2005.175-185
[14]Injung Kim, Min Kyung Hwang, Woojoong Lee. u-PC:personal workspace on a portable storage. In:The 4th Intl. Conf. on Mobile Technology, Applications and Systems(Mobility 2007). New York:ACM,2007.220-225
[15]AppStream. Appstream technology overview. From: http://www.appstream.com/products-technology.html.
[16]Thinstall. Application virtualization:A technical overview of thethinstall application virtualization platform. From: https://thinstall.com/products/documents/ThinstallTechnicalOverview V1Feb06.pdf.
[17]Z. Liang, V. Venkatakrishnan, and R. Sekar. Isolated program execution:An application transparent approach for executinguntrusted programs. In:The 19th Annual ComputerSecurity Applications Conference. Washington:IEEE Computer Society,2003.182-191
[18]W. Sun, Z. Liang, V. Venkatakrishnan, and R. Sekar. One-way isolation:An effective approach for realizing safe execution environments. In:The 12th Annual Network and Distributed System Security Symposium.2005.
[19]Wine. Wine user guide. From: http://www.winehq.com/site/docs/wineusr-guide/index.
[20]James, P. Secure Portable Execution Environments:A Review of Available Technologies. In:The 6th Australian Information Security Conference. Perth,2008. 70-86
[21]Ministry of Home Affairs Singapore. In:The 15th annual government ware securing intelligent enterprises (GovWare'06), Singapore,2006.
[22]Caceres R, Carter C, Narayanaswami C. Reincarnating PCs with portable SoulPads. In:The 3rd international conference on mobile systems, applications, and services (MobiSys'05). New York:ACM,2005.65-78.
[23]Rees J, Honeyman P. Webcard:a Java card web server.In:The 4th working conference on smart card research and advanced application (Cardis'00).2000. 197-208.
[24]Garfinkel T, Rosenblum M. A virtual machine introspection-based architecture for intrusion detection. In:The Network and Distributed Systems Security Symp. The Internet Society,2003.191-206
[25]Dunlap GW, King ST, Cinar S, Basrai MA, Chen DM. ReVirt:Enabling intrusion analysis through virtual-machine logging and replay. In:The 5th symposium on Operating systems design and implementation. New York:ACM press,2002. 211-224
[26]杨柳青.硬件虚拟机Xen的研究和性能优化:[硕士学位论文].浙江:浙江大学,2008.
[27]Shi E,Perrig A,Van Doom L. Bind:a fine-grained attestation service for secure distributed systems. In:The IEEE Symposium on Security and Privacy. Oakland: Institute of Electrical and Electronics Engineers Inc,2005.154-168
[28]Stefan Berger, Ramon Caceres, and Kenneth Goldman. vTPM-Virtualizing the Trusted Platform Module. In:The 15th Usenix Security Symposium. Vancouver, Canada,2006.21-22
[29]Michael Peter, Henning Schild, Adam Lackorzynski. Virtual machines jailed: virtualization in systems with small trusted computing bases. In:The 1st EuroSys Workshop on Virtualization Technology for Dependable SysteMS (VTDS 2009). New York:Association for Computing Machinery,2009.18-23
[30]L. Singaravelu, C. Pu, C. Helmuth. Reducing TCB complexity for security-sensitive applications:three case studies. In:The 1st ACM SIGOPS/EuroSys European Conference on Computer Systems. New York:ACM,2006.161-174
[31]Kurniadi Asrigo, Lionel Litty, David Lie. Using VMM-based sensors to monitor honeypots. In:The 2nd international conference on Virtual execution environments. New York:ACM Press,2006.13-23
[32]Stephen T. Jones, Andrea C. Arpaci-Dusseau, Remzi H. Arpaci-Dusseau. VMM-based hidden process detection and identification using Lycosid. In:The fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments. New York:ACM,2008.91-100
[33]Jisoo Yang, Kang G Shin. Using hypervisor to provide data secrecy for user applications on a per-page basis. In:The fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments. New York:ACM,2008.
71-80
[34]Derek Gordon Murray, Grzegorz Milos, Steven Hand. Improving Xen security through disaggregation. In:The fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments. New York:ACM,2008.151-160
[35]VMWare. Vmware esx server virtual infrastructure node evaluator's guide, November 2005. From:http://www.vmware.com/pdf/esx_vin_eval.pdf.
[36]Arvind Seshadri, Mark Luk, Ning Qu, et al. Sec Visor:a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In:The twenty-first ACM SIGOPS symposium on Operating systems principles. New York:ACM,2007. 335-350
[37]颜文波.可信平台中基于属性的远程证明系统:[硕士学位论文].武汉:华中科技大学,2007.
[38]T. Eisenbarth, T. Guneysu, C. Paar, et al. Reconfigurable Trusted Computing in Hardware. In:The 2nd ACM workshop on Scalable Trusted Computing(STC'07). New York:ACM,2007.15-20
[39]V. Costan, L. F. G Sarmenta, M. van Dijk, et al. The Trusted Execution Module: Commodity General-Purpose Trusted Computing. In:The 8th IFIP WG 8.8/11.2 International Conference (CARDIS 2008). Berlin:Springer-Verlag,2008.133-148
[40]Klaus Kursawe, Dries Schellekens. Flexible μTPMs through disembedding. In:The 4th International Symposium Information, Computer, and Communications Security. New York:ACM,2009.116-124
[41]Dong-Guk Han, Tsuyoshi Takagi and Jongin Lim. Further Security Analysis of XTR. In:The Information Security Practice and Experience:Second International Conference(ISPEC 2006). New York:Springer,2006.33-34
[42]赵佳.可信认证关键技术研究:[博士学位论文].北京:北京交通大学,2008
[43]WANG Zehui, ZHANG Zhiguo. XTR+:A provable secure public key cryptosystem. In:The 2006 International Conference on Computational Intelligence and Security(ICCIAS 2006). United States:Inst. of Elec. and Elec. Eng. Computer Society,2007.1359-1362
[44]王泽辉.基于6阶LFSR序列的可证明安全性公钥密码体制.计算机研究与发展,2006,43(Sup):232-238
[45]王泽辉.基于8阶LFSR序列的可证明安全性公钥密码体制.中山大学学报(自然科学版),2008,47(5):28-32
[46]赵佳,韩臻,刘吉强等.XTR体制下基于身份特征的数字签名算法.信号处理,2009,25(3):498-502
[47]赵佳,沈昌祥,刘吉强等.基于无干扰理论的可信链模型.计算机研究与发展,2008,45(06):974-980
[48]毛丰江,温希东.智能卡攻击技术与安全策略的研究.计算机工程与设计,2006,27(13):2396-2399.
[49]Rosenblum M, Garfnkel T. Virtual machine monitors:current technology and future trends. IEEE Comput. Soc,2005,38(5):39-47
[50]卢勇.反病毒虚拟机的研究与实现:[硕士学位论文].成都:电子科技大学,2007
[51]R. P. Goldberg. Survey of virtual machine research. Computer,1974,7(6):34-35
[52]G.J. Popek, R. P. Goldberg. Formal requirements for virtualizable third-generation architectures. Communications of the ACM,1974,17(7):412-421
[53]R. Sailer, E. Valdez, T. Jaeger, R. Perez. sHype:Secure hypervisor approach to trusted virtualized systems. Technical Report RC23511, IBM,2005
[54]B. Payne, M. Carbone, W. Lee. Secure and Flexible Monitoring of Virtual Machines. In:The 23rd Annual Computer Security Applications Conference(ACSAC 2007). United States:IEEE Computer Society,2007.385-397
[55]温研,王怀民.基于本地虚拟化技术的隔离执行模型研究.计算机学报,2008,31(10):1769-1779
[56]Whitaker A, Shaw M, Gribble S D. Denali:A scalable isolation kernel. In:The 10th workshop on ACM SIGOPS European workshop. New York:ACM,2002.10-15
[57]Whitaker A, Shaw M, Gribble S D. Scale and performance in the denali isolation kernel. In:The 5th symposium on Operating systems design and implementation. New York:ACM Press,2002.195-206
[58]Whitaker A, Cox R S. Constructing services with interposable virtual hardware. In: The 1st conference on Symposium on Networked Systems Design and Implementation. Berkeley, CAUSA:USENIX Association,2004.13-26
[59]Figueiredo R J, Dinda P A, Fortes J A. A case for grid computing on virtual machines. In:The 23th International Conference on Distributed Computing Systems (ICDCS'03). Washington, DC USA:IEEE Computer Society,2003.550-559
[60]Santhanam S, Elango P. Deploying virtual machines as sandboxes for the grid. In: The 2nd Workshop on Real, Large Distributed Systems. Berkeley, CAUSA: USENIX Association,2005.7-12
[61]Krsul I, Ganguly A. VMPlants:Providing and managing virtual machine execution environments for grid computing. In:The ACM/IEEE Supercomputing 2004 Conference (SC'04). Washington, D. C., USA:IEEE Computer Society,2004.7
[62]Waldspurger C A. Memory resource management in VMware ESX server. In:The 5th Symposium on Operating Systems Design and Implementation (OSDI'02). New York, USA:ACM Press,2002.181-194
[63]Zhao X, Borders K, Prakash A. S VGrid:A secure virtual environment for untrusted grid applications. In:The ACM/IFIP/USENIX 6th International Middleware Conference. New York:ACM,2005.1-6
[64]Bellard F. QEMU, a fast and portable dynamic translator. In:The USENIX Annual Technical Conference (USENIX'05). Berkeley, CAUSA:USENIX Association, 2005.41-46
[65]Sugerman J, Venkitachalam G, Lim B H. Virtualizing I/O devices on VMware workstation's hosted virtual machine monitor. In:The 2001 USENIX Annual Technical Conference. Berkeley, CAUSA:USENIX Association,2001.1-14
[66]武海燕,谭成翔,汪海航.BLP在网络隔离系统中的应用研究.计算机工程与应用,2007,43(15):6-11
[67]Chuliang Weng, Yuan Luo, Minglu Li, et al. A BLP-Based Access Control Mechanism for the Virtual Machine System. In:The 9th International Conference for Young Computer Scientists(ICYCS 2008). NJ, USA:Inst. of Elec. and Elec. Eng. Computer Society,2008.2278-2282
[68]Xiaoxin Chen, Tal Garfinkel, E. Christopher Lewis. Overshadow:a virtualization-based approach to retrofitting protection in commodity operating systems. In:The 13th international conference on Architectural support for programming languages and operating systems. New York, USA:Association for Computing Machinery,2008.2-13
[69]Vinod Ganapathy, Matthew J. Renzelmann, Arini Balakrishnan. The design and implementation of microdrivers. In:The 13th international conference on Architectural support for programming languages and operating systems. New York, USA:ACM,2008.168-178
[70]B. Lampson, M. Abadi, M. Burrows, et al. Authentication in distributed systems: Theory and practice. ACM Trans. Comp. Sys.,1992,10(4):265-310
[71]E. Wobber, M. Abadi, M. Burrows, and B. Lampson. Authentication in the Taos operating system. ACM Trans. Comp. Sys.,1994,12(1):3-32
[72]V. Haldar, D. Chandra, M. Franz. Semantic remote attestation:A virutal machine directed approach to trusted computing. In:The 3rd virtual machine research and technology symposium. Berkeley:USENIX Association,2004.29-41
[73]A. R. Sadeghi, C. Stuble. Property-based attestation for coumputing platforms: Caring about properties, not mechanisms. In:The 2004 Workshop on New Security Paradigms. New York:ACM Press,2004.67-77
[74]L. Chen, R. Landfermann. A Protocol for Property-Based Attestation. In:The first ACM workshop on Scalable trusted coumputing. New York, USA:ACM Press, 2006.7-16
[75]From:http://tejasconsulting.com/open-testware/feature/installwatch.html.
[76]Hunt, Galen and Doug Brubacher. Detours:Binary Interception of Win32 Functions. In:The Third USENIX Windows NT Symposium. Berkeley, CAUSA:USENIX Association,1999.14-14
[77]曹四化.基于用户意愿的访问控制模型研究与实现:[硕士学位论文].长沙:国防科学技术大学,2006
[78]P. England, B. Lampson, J. Manferdelli, et al. A trusted open platform. IEEE Computer,2003,36(7):55-63
[79]A.-R. Sadeghi and C. Stuble. Taming "trusted computing" by operating system design. Information Security Applications. Berlin Germany:Springer-Verlag,2003. 286-302
[80]U. Kuhn, K. Kursawe, S. Lucks, et al. Secure data management in trusted computing. In:The Workshop on Cryptographic Hardware and Embedded Systems (CHES 2005). Berlin Germany:Springer-Verlag,2005.324-338
[81]International Standard ISO/IEC 15408[S].2001.
[82]Trusted computing group. TCG specification architecture overview[EB/OL]. From: https://www.trustedcomputinggroup.org/groups/ TCG_1_2_Architecture_Overview.pdf.
[83]RUSHBY J. Noninterference, Transitivity, and Channel-Control Security Policies. CSL-92-02, Menlo Park:Stanford Research Institute,1992.
[84]张兴,陈幼雷,沈昌祥.基于进程的无干扰可信模型.通信学报,2009,(03):6-11
[85]BARRANTES, E. G, ACKLEY, D. H., et al. Randomized instruction set emulation. ACM Transactions on Information System Security,2005,8(1):3-40
[86]KC, G S., KEROMYTIS, et al. Countering code-injection attacks with instruction-set randomization. In:The 10th ACM Conference on Computer and Communications Security. New York, USA:ACM Press,2003.272-280
[87]LAWTON, K. P. Bochs:A portable pc emulator for Unix/X. Linux J,1996, 1996(29es):7-es
[88]NETHERCOTE, N. Dynamic binary analysis and instrumentation. Tech. Rep. UCAM-CL-TR-606, University of Cambridge, Computer Laboratory, Nov.2004.
[89]SCOTT, K., KUMAR, et al. Retargetable and reconfigurable software dynamic translation. In:The International Symposium on Code Generation and Optimization. Los Alamitos, CA, USA:IEEE Computer Society,2003.36-47
[90]SCOTT, K., DAVIDSON. Strata:A software dynamic translation infrastructure. Technical Report:CS-2001-17. Charlottesville, VAUSA:University of Virginia, 2001.
[91]W. Hu, J. Hiser, D. Williams, et al. Secure and practical defense against code-injection attacksusing software dynamic translation.In:The 2nd international conference on Virtual execution environments. New York, USA:ACM Press,2006. 2-12
[92]BUS, B. D., SUTTER, B. D., PUT, L. V. Link-time optimization of ARM binaries. In:The 2004 ACM SIGPLAN/SIGBED conference on Languages, compilers, and tools for embedded systems. New York, USA:ACM Press,2004.211-220
[93]THE COMMITTEE ON NATIONAL SECURITY SYSTEMS, T. C. National policy on the use of the advanced encryption standard (AES) to protect national security systems and national security information. Tech. rep., National Security Agency, USA,2003.
[94]LU Zhenyu, PAN Li, NI Yousheng. An Implementation Method of Secure Isolation and Data Exchange Based on USB. Computer Engineering,2006,32(3):158-160
[95]YI Yong. Research on Theory and Technology in Physical Isolation System and Its Application in Netwroked Manufacturing Environment:[PhD thesis]. Wuhan, China: Huazhong University of Science and Technology,2004
[96]Trusted Computing Group. TCG trusted Network Connect TNC architecture for interoperability specification Revision 1.0. From: http://www.trustedcomputinggroup.org/developers/trusted_network_connect/specifi cations.
[97]E.bertino, PA Bonatti, and E.Ferrari. TRBAC:A Temporal Role-Based Access Control Model.In:The 5th ACM Workshop on Role-based Access Control. New York:ACM Press,2000.21-30
[98]Joshi JBD, Bertino E, Ghafoor A. Temporal hierarchy and inheritance semantics for GTRBAC. In:The 7th ACM Symp. on Access Control Models and Technologies. New York:ACM Press,2002.74-83
[99]林宏刚.可信网络连接若干关键技术研究:[博士学位论文].成都:四川大学,2006
[100]Liu He, Zhang Yong-zheng, Yu Zong. Research on Management of USB Storage Device Based on Trusted Network Connect (TNC) Architecture. Microcomputer Information,2008,24(5-3):90-92
[101]彭双和.信息系统认证体系结构及相关技术研究:[博士学位论文].北京:北京交通大学,2006
[102]M.Burrows, M. Abadi, and R.M.Needham. A Logic of Authentication. ACM Transaction on Computer System,1990,8(1):18-36