Research On Key Technologies Of Trusted Virtual Environments For Cloud Computing

Cloud computing is a computing model based on the internet,it distributes the computing tasks in the resource pool which consists of a large number of computers.Consumers can obtain the necessary computing power,storage space and a variety of software services,and then pay the bill based on actual usage.Cloud computing brings another revolution in the field of computer science,but it also brings many new security issues.Based on the characteristics of distributed computing and storage,the security problems of cloud computing mainly focus on three aspect:virtualization security,application security and tenants security.Virtualization security includes two parts:the security of Virtual Machine Manager(VMM)and the security of the virtual machine operating system.Application security includes environment security and trusted application security.Tenants security focus on protecting the effectiveness of isolating mechanism of tenants based on the computing resource sharing.According to the relate research,the work on the above three aspects can solve the security issues in cloud computing at a certain extent,but some problems still remain unsolved.Nowadays,the combination of trusted computing and cloud computing has become a hot research topic.Virtual machine technology greatly improves the security of the system,due to its high separability to the virtual machine and high controllability to the system resources.Trusted computing provides the basic support for the establishment of the security application support platform,such as trusted authentication,trusted measurement,trusted storage and so on,which fundamentally solves the trust and security problem of the system.Therefore,combining the trusted computing and virtual machine technology can be used to ensure the security of user data and application in the cloud environment and to build a trusted cloud computing environment.Under the trusted cloud computing security architecture by academician Shen Changxiang,this thesis added the trust requirement of tenant isolation to the trusted cloud computing environment,and worked on trusted virtual computing resources,trusted cloud application and trusted cloud tenant separation mechanism to establish trusted virtual environment oriented cloud computing.The contributions of this thesis are:(1)Security Virtual Machine Integrity Monitor(SVMIM)is proposed by combining the trusted computing and virtualization technology to establish trusted virtual computing environment.SVMIM adopted a hybrid security structure,monitored and controlled the loading process of executable files in virtual desktop systems,which could effectively overcome the shortcomings of "semantic gap" and ensure the trustworthiness of security mechanism.In addition,SVMIM used storage clone technology on network storage to reduce the impact of security mechanism on the system performance.(2)Using trusted computing technology to build a trusted application environment.In cloud computing platform,cloud applications include not only the general executable programs,but also include Java applications and web services.Java language is platform-independent,so that it determines the running of Java applications is not dependent on operating system.Java Virtual Machine(JVM)explains and executes Java byte codes,thus some traditional methods,based on the operating system,are not adapted to verify executable programs in JVM.This thesis first used the SVMIM mechanism to establish a trusted executable application environment,and then established a trusted Java platform(TJP)to verify the integrity and authenticity of JVM loaded class,and to ensure Java program will be trusted by controlling the loading of JVM class,which can transmit the chain of trust in JVM and ensure cloud computing applications are trusted.(3)As a third party service,tenant separation mechanism in cloud computing is realized by Cloud Service Provider(CSP).CSP has to prove the effectiveness of the tenant separation mechanism to improve tenants' confidence and enable tenants to buy their cloud service.Existing tenant separation mechanisms cannot meet the high security requirements of tenants,which always pay attention to measuring external properties of cloud service.In this thesis,a trusted cloud tenant separation mechanism with transparency considered is given,which views the transparency requirement as the inter-domain information flow,and brings the control policy and the real-time operation information from cloud management domain to tenant's domain.This provided a method for the tenant to measure and verify the tenant separation mechanism of cloud.At the same time,this thesis also proved that the cloud tenant separation mechanism is secure and effective by non-interference theory.(4)Building the trusted cloud desktop system,which is a typical application of cloud,to verify and evaluate the proposed method.Trusted cloud desktop system is designed from the three aspects:trusted virtual computing environment,trusted cloud application and trusted cloud tenant separation mechanism.This thesis gave the detailed design ideas and implementation methods of each function module.At last,this thesis carried out the security analysis and performance testing of the prototype system,and proved the actual availability of the prototype system.