中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 信息安全国家重点实验室  > 学位论文
学科主题: 计算机科学技术基础学科::数据安全与计算机安全
题名:
基于Xen的可信计算环境构建关键技术研究
作者: 汪丹
答辩日期: 2010-05-31
导师: 冯登国
授予单位: 中国科学院研究生院
授予地点: 北京
学位: 博士
关键词: 可信计算 ; 可信平台模块 ; 可信虚拟 ; 信任链 ; 信任度 ; 属性封装
摘要: 在以Xen为代表的虚拟平台上,引入可信计算技术可以为其构建可信计算环境,有效增强其安全。然而由于虚拟平台支持多个虚拟机系统运行的特点,致使可信计算技术无法直接为其可信计算环境构建提供支持。本文在引入TPM的Xen可信虚拟平台上研究其可信计算环境构建,首先分析了TCG信任链模型的不足,在其基础上提出了基于信任度的信任链模型,完善了原有模型的信任表述能力;紧接着将该模型扩展至可信虚拟平台,对其信任构建问题进行了探讨提出了一种信任树的信任构建方法;然后分析了可信虚拟平台数据封装存在的问题,并给出了可行的封装解决方案;最后实现了可信虚拟平台信任系统建立Xen平台可信计算环境。本文主要取得了以下几个方面的成果: 1、针对TCG信任链模型中完整性度量无法全面反映实体运行状况和无法表述信任传递损失的缺陷,提出了一种基于信任度的信任链模型,该模型丰富了可信计算的信任链理论知识,对信任链模型扩展研究具有一定的指导价值。 2、在基于信任度的信任链模型基础上,针对可信虚拟平台多系统运行的特点,提出了基于信任树的可信虚拟平台信任构建方法,该方法符合可信虚拟平台运行的安全需求,为可信虚拟平台可信计算环境构建奠定了基础。 3、提出了一种TPM支持的多级属性封装方案,该方案实现了TPM对所有虚拟机系统数据的属性封装,同时还对属性进行了分级扩展,基于属性的安全级别实施解封,增强了属性封装的灵活性,更有效的保证了可信虚拟平台上的数据安全。 4、针对可信虚拟平台上的数据使用需求,提出了一种按需属性封装方案,该方案不仅实现了数据与任意组件属性的封装,还保障了封装数据在不同虚拟机中的正常解封,增强了封装数据的可用性,充分满足了可信虚拟平台上敏感数据封装和共享的安全要求。 总的说来,本文的研究成果为虚拟技术的应用提供了安全支撑,并且为可信计算的相关研究提供了借鉴。
英文摘要: For a virtual platform such as Xen, it can establish the trusted computing environment and enhance security by introducing the trusted computing technology. However, a virtual platform allows multiple virtual machines to run concurrently, so that it can't establish the trusted computing environment with the trusted computing technology directly. This thesis mainly studies the establishment of the trusted computing environment based on the trusted virtualization platform with Xen and TPM. First, we analyze the deficiencies of the TCG trust chain model, and propose a trustworthiness-based trust chain model on that basis, which improves the expressive ability on trust. Next, we extend the model to the trusted virtualization platform to discuss the trust establishment, and propose a trust establishment approach of trust tree. Then, we analyze the problems existing when sealing data on the trusted virtualization platform, and propose the feasible sealing solutions. Finally, we implement a trust system on the trusted virtualization platform to establish the trusted computing environment based on Xen. The main contributions of this thesis are listed as follows: (1)To avoid the deficiencies of the TCG trust chain model that the integrity measurements can’t reflect how entities run completely and it can’t express the loss of transitive trust, a trustworthiness-based trust chain model is advanced. The model enriches the trust chain theoretical knowledge of the trusted computing, and also has certain instructional value to research on the trust chain model extension. (2)According to the feature of the trusted virtualization platform that multiple systems may run, an approach to establishing trust for the trusted virtualization platform with the trust tree is presented based on the trustworthiness-based trust chain model. The approach meets the security requirements when the trusted virtualization platform runs, and lays a solid foundation for establishing the trusted computing environment for the trusted virtualization platform. (3)A multilevel property-based sealing scheme with the support of TPM is put forward. The scheme realizes property-based sealing for data in all virtual machines with TPM, expands properties with different security levels, and allows unsealing with the property’s security level. The scheme enhances flexibility of property-based sealing, and ensures data security on the trusted virtualization platform more efficiently. (4)According to the requirements of data usage on the trusted virtualization platform, an on-demand property-based sealing scheme is brought forward. The scheme realizes sealing data to any component’s property, and ensures that sealed data can be unsealed normally in different virtual machines. The scheme enhances availability of sealed data, and meets the security requirements of the sealing and share of sensitive data on the trusted virtualization platform well. In summary, the achievements of this thesis provide security support for the application of the virtualization technology, and give some suggestions for the research on the trusted computing.
语种: 中文
内容类型: 学位论文
URI标识: http://ir.iscas.ac.cn/handle/311060/2303
Appears in Collections:信息安全国家重点实验室_学位论文

Files in This Item:
File Name/ File Size Content Type Version Access License
基于Xen的可信计算环境构建关键技术研究.pdf(1696KB)----限制开放 联系获取全文

Recommended Citation:
汪丹. 基于Xen的可信计算环境构建关键技术研究[D]. 北京. 中国科学院研究生院. 2010-05-31.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[汪丹]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[汪丹]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2017  中国科学院软件研究所 - Feedback
Powered by CSpace