| The application of cloud technology has been gradually come into people’sproduction and living, which has brought a lot of convenience to our daily life. With thechanging of people’s life by cloud computing, it does redefining the concept ofcomputer security. More and more data has been moving to the cloud side, people startto concern about the security issues. By now, almost all research is still working withthe out-timed models, only a few people are aware of the inside-cloud security problems.Inside-cloud vulnerability was ignored, until Google’s employee was exposed abusingprivileges to steal user’s private data.Nowadays, security problem has become one of the biggest obstacles in the way ofcloud computing. As the main carrier of cloud computing, Xen is still "streaking" in thecloud operator’s computer room, the inside security problems are now threatening user’sdata safe.For such problems, this thesis is written to find a way to protect Xen from internalthreats, by means of block device isolation, memory isolation and desktop protocolisolation. Focused on the attack methods of these three aspects, with fine-grainedanalysis of Xen source, we finally got the isolation entry point of these three aspects.For Block device isolation, we added an encryption module into Qemu, which can avoidDomain0administrator view the data of virtual hard disk by using management tools;For Memory isolation we modified the work flow of memory mapping procedure byextending the ACM control framework, so we can prevent administrator’s illegal accessfrom Dom0to VM’s memory; For desktop protocols isolation, we encrypted the virtualVGA’s image and cooperate with the decryption module of a modified VNC client, toeliminate the administrator capture packages form physical adapter to rebuild desktopprotocol data. All encryption involved procedures are based on PKI technology. Weused an independent server to do key management, and a secure key accessing interfaceto protect the key. Thus, we made the security of encryption procedure verifiable.Testing result proves isolation modules in this system achieved the expected goals,in terms of performance on the efficiency of memory, hard disk and desktop protocol. Thus, we implemented the goal of Domain0and DomainU data isolation. This researchcomplied with Internet security situation development, and enhanced the security ofXen based cloud environment, which can make a contribution to cloud security relatedwork in our nation. |
PDF Full Text Request