| The security of computing is the focus of the current research works. Building a secure computing system involves many factors; among them, providing data confidentiality and integrity is one of the most essential requirements. However, implementations of the related protection measures always face substantial difficulties; typically, the difficulty is that providing solid protection is contrary to realizing high performance. This paper aims at the memory/storage system of computer, works on how to protect data confidentiality and integrity, and achieves: the protection measures have sufficient intensity of security, the protection processes are high performance, and the related costs are acceptable.From the view of the hiberarchy of its construction, memory/storage system includes the on-chip cache memory, the off-chip random access memory, and the peripheral storage devices; it may also include the storage space provided by remote nodes, when considering network storage architecture. Generally, processor is treated to be trusted (i.e., it is free from threat of attacks), but all the outer part of processor are untrusted (i.e., they are brittle to attacks). This paper tries to give related solutions of data confidentiality and integrity protections to these weak parts; additionally, it studies a special kind of attack executed with the help of advanced simulators, and proposes related approach to avoid being threatened.The work of this paper, has the main purpose of researching on the foundation methods and realization techniques of data protection, emphasizes integrating protection processes with computer architecture characters, and tries to obtain the optimized designs. It gets such primary achievements as the foliowings:1) For the integrity verification of system memory, it proposes an available approach to the optimization of Hash Tree. This approach efficiently utilizes the locality pattern of memory accessing to quicken the checking processes of integrity. At the same time, it eliminates the influence to performance incurred by the excessive pollution of on-chip caches, because the buffer used by it can be untrusted and can be placed out of processor.2) For the protection of the shared memory of symmetric multi-processor system, it builds a distributed protecting structure, which distributes protecting processes to processor and MCH to achieve security by them together. To reduce the performanceinfluence of protecting, it combines OTP encryption and timestamp verification effectively; consequently, such security scheme can realize that system bus transaction has low encryption latency, integrity verifying is low cost, and the design of MCH is light-weight.3) Basing on the security of memory, it makes further investigation on the protection of peripheral devices, and brings forward hard disk integrity verification mechanism with online mode and sector level. Checking sectors directly gives unified low level protecting mechanism to disk storage devices (including file systems). It adopts an optimizing method basing on one special structure of Hash Tree, which can not only optimmize the checking processes of integrity, but also facilitates the operation of time crucial consistency recovery.4) To protect the security of remote data in the network storage architecture, it gives a protection method that relies on trustworthily holding secret key information associated with data blocks. Such method is applicable to many application cases, and achieves data protection processes with low cost compared with other similar systems.5) Additionally, it studies a powerful attacking case implemented with the help of some sophisticated simulators. To circumvent such potential threat against security, it puts forward a method, which relies on the behavior characters of processor, to judge the real existence of physical processors.
|
PDF Full Text Request