Research On Security Enhancement Approach For Virtual Border In Computing Environment

As the underlying supporting technology, the virtualization technology brings efficiency and cost reduction, but also brings a series of data security issues due to the conflict between physical sharing and logical isolation. In the public cloud, the physical isolation between different agencies network is replaced by the virtual network constructed by the network virtualization technology. This network resource reuse pattern brings centralized network traffic and efficient use, but it also brings a lot of a lot of security issues. Therefore, how to conquer the security challenges brought by cloud boundary generalization to ensure the security of data in cloud platform, has become a significant problem to be solved urgently in the field of information security.Utilization of the privilege of virtual machine monitor to protect the generalized cloud boundary provides a new aspect of data protection in cloud platform. Trusted virtual domain aggregates the virtual machines with the same need of collaboration and data security requirements to an identical virtual domain. Therefore, the virtual domains with the same TVD tags are dominated by the same security policy and form a relatively isolated security domain, which can make up for the security problems caused by boundary generalization. Meanwhile, the hotpatch mechanism for the business continuity plays a vital role in preventing the data leakage caused by exploits. In addition, cryptography techniques can effectively protect the confidentiality with the key management and ciphertext-based manipulation based on cipertext, and the secure storage technology (ciphertext access control) and ciphertext manipulation (ciphertext queries) provide an important guarantee for the security of data in cloud platforms.A single layer of data protection cannot effectively counter the security challenges due to the cloud boundary generalization. Therefore, we consider security factors in different layers, including execution environment, software security, static data and dynamic data and so on. It means that we enhance the isolation mechanism of network virtualization to isolate the virtual networks with different security requirements to construct a security execution environment, and utilize the data secure storage techniques and secure access to protect the data security in this trust domain. The main contents of this paper are concluded as follow.1) The Building Mechanism of Trust Virtual Domain in Cloud The existing researches do not address the security problems well caused by physical network sharing and lose the concern of the demands of collaborative works in cloud. To solve this problem, we propose a trusted virtual domain architecture, which greatly enhances sensitive data protection in cloud computing environment. The mechanism utilizes the centralized distribution feature of network virtualization to capture and analyze the packages by the preset policies of trust virtual domain. For a package, before it is delivered to the according virtual machine, we capture the package and control the flow according to the security policy to enhance the isolation of different virtual machine and different domains. And a safe barrier of cloud boundaries is constructed. Combined with trust computing theory, we design a trust management mechanism (trust access, trust exit, etc.) to ensure the reliability of the member of a trust virtual domain.2) VMI-Based transparent Data Patching to Secure Software in the CloudTo overcome the defects of traditional vulnerability protection mechanism of cloud platform and meet the demands of rapid suppression of vulnerabilities, we propose a transparent hotpatch mechanism, vPatcher, based on virtual machine introspection (VMI) and input filtering mechanism based on vulnerability signatures. The main idea of this mechanism is as follow. First, we utilize privileges of host system in virtualization architecture to intercept all network data packets through the host platform, and then resolve the packets to get the port information. After that, we map virtual machines’memory to the privileged domain through VMI mechanism, obtain the network connection of the processes in virtual machines via the semantic reconstruction, and pick up the corresponding process of the received network packets. Finally, we analyze the information of network packages and the corresponding process to examine whether the vulnerability signature is matched. For detected exploits, the input inspection module will block them and protect the vulnerable program from being attacked.3) A Cryptographic Access Control for Dynamic policy in Cloud StorageIn order to safely and effectively reduce the performance overhead brought by policy update, we need to securely reduce the key maintenance of Data Owner and construct of efficient key and data update policy. To solve this problem, we propose a cryptographic access control strategy for dynamic policy in cloud storage (CACDP). CACDP presents a key management tree of binary trie based on key derivation, enhancing the security of the key and reducing the number of keys maintained by data owner and user. Based on this, we use the proxy re-encryption mechanism based on ELGamal and double-encryption strategy to transfer partial mission of updating key and data to the cloud servers, in order to reduce the administrative burden of date owners. CACDP effectively reduces the costs of the computing and communication in both aspects of keys and data to better support dynamical update.4) A privacy-preserve bucket partition mechanism in cloudThe existing ciphertext query technology fails to provide a deep analysis in privacy leakage under attack. To solve this problem, we propose a privacy-preserve bucket partition mechanism in DAS model in cloud. Frist, according to the procedure of cipertext query, we propose several privacy indicators for information leakage. Then, we construct a tradeoff model between the privacy indicators with query accuray. Finally, we utilize the genetic algorithm to balance the privacy and accuray optimumly. The algorithm maximizes the query accuracy and efficiency, reduces the information leakage during the query, and consequently enhances the availability and privacy of sensitive data in cloud.