Research On Virtual Machine Architecture Based Trusted Computing Environment

Trusted computing environment provides a new arena to address the challenges of computer security by combining software and trusted computing hardware. Virtualization based trusted computing environment further offers powerful security protection for upper applications.However, the development of current trusted computing technology advances its theoretical study, which makes virtualization based trusted computing environment lack of theoretical foundation. Most existing research work consider virtual machine monitor (VMM) as part of trust chain. As a result, existing operating systems cannot support application-level integrity protection. Meanwhile, virtualization-based trusted computing environment generally uses a commodity VMM, which introduces significant performance overhead for building the trusted computing environment. By combining trusted computing and mandatory access control (MAC) policies in virtual machine systems, trusted virtual domain (TVD) can manage authorized overt information flow, however it cannot control the potential risks of covert channels. To solve these problems, this dissertation presents the research on virtualization based trusted computing environment from theoretical and enabling mechanism aspects.This dissertation first defines the chain of trust model in trusted computing environment and isolation model in trusted virtual domains. The chain of trust model in this dissertation is universal, which offers a formal definition of trusted state, trusted root and trust measurement, and unified modeling for DRTM (dynamic root of trust for measurement) and SRTM (static root of trust for measurement), with the assumption that the authenticity of an entity can measure its behavior without any loss. This model also provides a theoretical basis for assessing the existing trusted computing environment, and offers theoretical support for the follow-up research on how to build a more reasonable virtualization based trusted computing environment. The isolation model in trusted virtual domains (Priority Chinese Wall -- PCW) prevents covert flow through careful resource management, and enables users to mitigate remaining covert channels through configuration optionswhile preserving the freedom of choice characteristic of the traditional Chinese Wall policy. It also partitions VM labels into different ranges, as the Caernarvon model does.By following these theoretical principles, this dissertation further presents three t mechanisms to build virtualization based trusted computing environment: transparent chain of trust infrastructure (TCT), lightweight virtualization based dynamic trusted execution environment--Cherub, and covert flows confinement (CFC) mechanism in trusted virtual domains (TVD).TCT aims to extend TCG chain of trust to application layer in virtualization based environment, but maintain the transparency to operating system. It can protect user's sensitive data when their integrity of the environment is broken. TCT solves the problem that the application-level chain of trust is too long in traditional virtualization based environment. Furthermore, it enables commodity platforms the capability to protect the integrity and confidentiality of applications and data, which is similar to IBM 4758 coprocessor equipped platforms.Cherub leverages the dynamic root of trust and hardware virtualization technology to insert a lightweight virtual machine monitor (LVMM) under a running operating system. Through the LVMM, Cherub is able to isolate a trusted execution environment for the memory pages selected by the target process to achieve fine-grained access control and flexible memory protection. Cherub is the first VMM that leverages late launch based dynamic root of trust, which has smaller scale of code and runtime overhead than legacy VMMs. It can protect a wide range of legacy programs in existing commercial operating systems.Covert flow confined mechanism (CFC) establishes the chain of trust from the root of trust to VMM on each node, and then expands the trust chain to distributed enviornmentwith mutual verification. With this, a joint trust base can be achieved. CFC effectively confines covert flows in TVD by enforcing the PCW, which assures that critical information on such systems would not be leaked to the competitors and satisfies enterprise level security requirement.