| With the rise of cloud computing and big data,the ascendant Internet is going into the second and changing the way people live and work in a deeper level gradually.However,the rapid development of cloud computing has always been follow with security concerns.Due to the work of cloud computing,the data is no longer only managed by the user and the cloud provider.Virtualization is the key support technology of cloud computing.Therefore,this paper will study the security of virtual machine.The traditional access control technology is difficult to protect the data security betweent the ends,so it is not suitable for the protection of data and privacy in the virtual environment.Information flow control technology can solve this problem effectively.However,the current research on information flow control technology in the virtual machine environment is limited to a single computer environment,which is difficult to be directly applied to the cloud computing environment.Therefore,it is very important to study the security of virtual machine based on cloud computing environment.In this paper,according to the characteristics and security requirements of the virtual machine system,the information flow control model for virtual machine security and key technologies in the implementation are studied:1.The security model is the basis of the control mechanism,aiming at the shortcomings of the existing models in the control granularity,flexibility,user conflicts of interest and so on,a Mixed Flow Based Distributed Cloud Information Flow Control Model,MDIFC was proposed.This model developed from DIFC,and the model introduced the taint propagation to track the sensitive data so that the system could enforce the strategy and the user data could get a better insurance.In order to improve the flexibility of the model,considering the initiative of virtual domains,the model proposed the concept of On-Demand Controlled and output classification.The model could reduce the workload result from taint propagation at the same time.This paper introduced its specification using calculus and proved that MDIFC systems had the security property of noninterference with PicNic tool.Finally,this paper used an example to demonstrate of MDIFC.2.The control mechanism is the key to the implementation of the system security,and it is difficult to solve the problems of the existing mechanism in the transmission of sensitive data network and file access,a mechanism called information flow control by attribute-based encryption is proposed,combine attribute-based encryption technology with information flow control technology innovatively.By redesigning the method of user private key generation and the method of access tree generation.The mechanism can reduce the users' access policy formulation work,but also can be with the data in the cloud full control of the information flow control,consequently deal with above security risks.Finally,we implement the prototype and test the performance of the method.3.Under the cloud environment,the cross channel attack of the virtual machine and the virtual machine side can bypass the information flow control mechanism,a VCPU scheduling algorithm was designed to anti-side-channel attack in Xen virtual machine.To deal with the problem of the cross-VM side channel attack in cloud environment,we formalized virtual machine leakage generated in the cloud environment of between different virtual machines.Then we proposed the scheduling algorithms for computing oriented and delay-sensitive oriented workloads.Simulation results show that the algorithm could reduce the risk of leakage effectively.4.An efficient and fine-grained information flow control system called VDIFC for virtual machine was designed and implemented.Firstly,the design idea and structure of the system are given,and then the key technologies of each module are given.Finally,the function and performance test results of the system are given.The results show the feasibility of the proposed theory. |
PDF Full Text Request