Research On The Key Theory And Technology Of Trusted Infrastructure-as-a-Service

As a new computing mode, the core ideas of cloud computing are resource renting, application hosting and service outsourcing. With this mode, different kinds of resources are fully utilized and the on-demand service concept obtains true realization. There are three service layers in cloud computing:Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Among them, the IaaS is the most basic and bottom part which provides hardware infrastructure, software resources and massive data processing ability via Internet. However, it is precisely because the polymerization of large numbers of computing and storage components that a lot of security problems occur in IaaS. According to the investigation report of Accenture, lack of trust explains users' refusal of cloud service. Trust issues in IaaS have become a key obstacle to the development and popularization of cloud computing.Trusted computing can solve trust issues in an operating system. In this technology, trust starts from a small, primitive device firmware and expands to higher-level softwares. After a decade of development, the theories of trusted computing base, trust model and trust transfer gained rigorous derivation and provement. Meantime, the techniques of measurement, trusted software stack and trusted network connection obtained complete specifications and implementation. Thus we consider applying trusted computing technology to construct credible IaaS environment. But still, the cloud has some characteristics distinguished from normal PC, which need new theories and techniques.This paper focuses on key theories and technologies of trusted computing in IaaS:the definition and analysis of trust, the establishment of trusted computing base, the model of trust transfer, the construction and utilization of trust software stack, the dynamic measurement of resources, the trust network connection of tenants, et al. Then a trustworthy private cloud based on Opentack is built. Combined with the characteristics of cloud computing, we design a trusted network connection and a dynamic measurement protocol. Also two improvements to existed trusted computing base and trust chain are made to solve the specific problems in protocol application. Our scheme has theoretical innovation, and is of great theoretic and practical significance in further construction of trust IaaS cloud. Concrete research content including following several aspects:1. The definition and analysis of IaaS in cloud environmentSince the definition of IaaS credibility is vague, and the analysis method of partial trust attributes is absent, we define what a trust cloud is and what attributes can be used to prove a cloud is trustworthy. Then we refine these attributes and give a detailed description to each sub-attribute. Besides, we use labeled transition system as operational semantics description tool to depict the interactive processes among inner components in a cloud caused by IaaS. They are described as the interactions either between users and cloud or among internal entities in IaaS.Based on this, a model that can be used to analyze partial dynamic attributes is built, which provides theoretical foundation for the combination of trusted computing and IaaS.2. Peer trust protocol for renter and cloud platform in IaaS of cloud environmentTo solve the issue of the lack of mutual trust between users and cloud, we design two protocols using trusted computing technology:a dynamic measurement protocol and a trusted network connection protocol. The former provides users with real-time trust to resources in IaaS platform and the latter provides IaaS platform with trust to users and access terminals. Thus the trust nonidentity issue between users and service providers easily encountered in general web service is solved.3. Research of trusted computing base and trust transfer model in IaaS of cloud environmentNormally measurement is the basic technology when we design a secure protocol. It needs to use the trusted computing base and trust chain as its theoretical and technical support. However, current theories and techniques are not suitable to multi-nodes cooperation situations in IaaS, which causes difficulties in protocol application. We define two trust types and give a description of static and dynamic trust root respectively. Their integration is considered as the trusted computing base of IaaS. Meanwhile, to solve the problem that single-node trust transfer technique could not be applied to multi-nodes situation, we propose parallel trust structure and realize parallel transfer of trust and platform control right.4. Construction of a trust IaaS cloud prototypeWe propose a trustworthy private IaaS cloud prototype construction method and give the framework design and the specific implementation techniques of the cloud. We also provide a solution for the possible Trusted Platform Module (TPM) resource deadlock problem in IaaS. Our scheme is tested and the experimental results show that the proposed theory is feasible and practical, with good performance and security assurance.