Deqing Zou,Weide Zheng,Jinjiu Long,Hai Jin,Xueguang Chen

DOI: https://doi.org/10.1016/j.future.2009.05.020

IF: 7.307

2010-01-01

Future Generation Computer Systems

Abstract:P2P grid is a natural merger of grid computing and P2P computing. Currently, P2P grids are hard to be commercially adopted because user programs and sensitive data are compromised easily and no trusted execution environment is provided on P2P grid nodes. Virtualization technologies become more and more popular, which allows one computer system to function as multiple virtual systems. When a P2P grid node is equipped with virtualization technologies, the virtual machine monitor (VMM) under the operating system is more secure than the OS because the VMM is much less complicated than the OS, and trusted platform module (TPM) embedded into the underlying hardware can provide integrity protection for the VMM. In this paper, we introduce how to construct a trusted execution environment on P2P grid nodes equipped with secure VMM. The VM images used for deploying virtual execution environment are protected and verified. A VM image will be selected and deployed onto a P2P grid node according to the job requirement and node situation, such as node performance and node reputation. Finally, the overhead of trusted image store and deployment is analyzed.

Zhi-Dong Shen,Fei Yan,Wei-Zhong Qiang,Xiao-Ping Wu,Huan-Guo Zhang

DOI: https://doi.org/10.1109/imsccs.2006.72

2006-01-01

Abstract:Grid provides people the way to share large mount of distributed resources and services that belong to different local organizations. That is a good way to share many kinds of distributed resources via the network in the open environment, thus it makes security problems more complicate and more important for us than before. In this paper, we analyze the requirements of trusted computing in grid. Considering the security and safety problems both in software and hardware, we construct a way to promote the trusted computing environment for grid by integrating the trusted computing platform (TCP) into grid system. We propose a new prototype system, the Daonity, in which grid system is combined with trusted platform support service (TSS) and TSS is based on trusted platform module (TPM). In this design, better effect can be obtained in authentication, confidentiality and integrity in grid computing environment

Cui Yan-Li,Zhang Xing

DOI: https://doi.org/10.1109/cnmt.2009.5374540

2009-01-01

Abstract:In the distributed environment, one important security issue is how to apply further security control to the object that is released to other terminals. The appearance of trusted computing technology has provided an effective solution for this issue in the distributed environment. At the same time, through combining trusted computing technology with the strong isolation and sharing characteristic provided by virtual machine technology has further increased the security and the flexibility of distributed access control. Therefore, this paper uses trusted computing technology to improve the security of the terminal in carrying out the distributed access control, designs a trusted terminal architecture that bases on the trusted computing technology and the virtual machine technology as well as a enhanced mode that suits in distributed access control, and on this basis, analyzes the security of system design.

Ke Xu,Yuexuan Wang,Cheng Wu

DOI: https://doi.org/10.1007/11745693_53

2006-01-01

Abstract:Ensuring the reliability and robustness of complex scientific grid applications is a critical issue for managing and sharing expensive scientific instruments. However, guaranteeing the correct processing of grid applications under all circumstances is difficult and not fully addressed by existing grid infrastructure. Hidden flaws in the applications including unexpected internal behaviors, dissatisfaction of real-time constraints, incompatibility in service interactions, etc may lead to subtle failures in grid systems. This work tries to enhance the trustworthiness of grid applications by investigating existing formal techniques and their extensions. A formal framework based on extensions of Pi calculus is proposed which also integrates formal techniques of model checking and bisimulation analysis to enable the reasoning of grid applications from three perspectives: data, time and behavior. In addition, both application examples and our current implementation architecture are also concluded.

Jin Hai,Yi Chuanjiang

DOI: https://doi.org/10.1007/s11704-007-0020-5

2007-01-01

Frontiers of Computer Science in China

Abstract:In grid computing environment, grid users often need to authorize remote computers acting as original users’ identity. But the original user may be under the risk of information leakage and identity abused for sending his credential to remote computing environment. Existing grid security practice has few means to enforce the security of credential delivery. Trusted Computing (TC) technology can be added to grid computing environment to enhance the grid security. With TC using an essential in-platform (trusted) third party, Trusted Platform Module (TPM), we can use TC to protect the user credential. In this paper we present credential migration management (CMM) system, which is a part of Daonity project, to manifest migrating credential in security between different computers with TPM.

Fei Yan,Qiang Wang,Zhidong Shen,Chunrun Chen,Huanguo Zhang,Deqing Zou

DOI: https://doi.org/10.1007/11839569_22

2006-01-01

Abstract:A critical problem for grid security is how to gain secure solution for Grid virtual organization (VO). In Grid practice at present, issues of VO security rely on non-distributed policy management and related PKI mechanism. A practical but difficult solution is to enforce fine granularity policy over distributed sites. The emerging Trusted Computing (TC) technologies offer great potential to improve this situation. In our Project Daonity, Trusted Platform Module (TPM), as a tamper-resistance module, is shared as a strong secure resource among platforms of grid users. Based on the sharing mechanism, a TC-enabled architecture is proposed to improve Grid Security Infrastructure, especially authorization protection and single sign on are enhanced to demonstrate how to gain enhanced and distributed security in grid environment.

Yan Fei,Zhang Huanguo,Sun Qi,Shen Zhidong,Zhang Liqiang,Qiang Weizhong

DOI: https://doi.org/10.1007/bf02831880

2006-01-01

Abstract:Current delegation mechanism of grid security infrastructure (GSI) can't satisfy the requirement of dynamic, distributed and practical security in grid virtual organization. To improve this situation, a TC-enabled GSI is discussed in this paper. With TC-enabled GSI, a practical delegation solution is proposed in this paper through enforcing fine granularity policy over distributed platforms with the emerging trusted computing technologies. Here trusted platform module is treated as a tamper-resistance module to improve grid security infrastructure. With the implement of Project Daonity, it is demonstrated that the solution could gain dynamic and distributed security in grid environment.

Fei Yan,Huanguo Zhang,Zhidong Shen,Liqiang Zhang,Weizhong Qiang

DOI: https://doi.org/10.1109/wicom.2006.293

2006-01-01

Abstract:Current grid computing has developed from traditional high performance, distributed and site-fixed computing to pervasive, ubiquitous and wireless computing. In practice, PKI-based solutions are introduced to solve security of grid computing. Because of limited computation power and limited memory spaces, it is difficult for wireless grid computing to gain secure solution in collaboration environment. The trusted computing (TC) technologies are introduced to offer great potential to improve this situation. In this paper, with treated trusted platform module (TPM) as a tamper-resistance module, a TC-enabled architecture is proposed to improve wireless grid security. Especially authorization protection is discussed to demonstrate how to gain enhanced and distributed security in grid environment

Wenbo Mao,Andrew Martin,Hai Jin,Huanguo Zhang

DOI: https://doi.org/10.1007/978-3-642-04904-0_18

2009-01-01

Abstract:A central problem for Grid (or web) services is how to gain confidence that a remote principal (user or system) will behave as expected. In Grid security practice at present, issues of confidentiality and data integrity rely on weak social trust mechanisms of "reputation maintenance": a principal who is introduced by a reputable party should hopefully behave in "best effort" to maintain the reputation of the introducer. As will be discussed in this paper, this gentleman's notion of trust is insufficient for a large class of problems in Grid services.The emerging Trusted Computing (TC) technologies offer great potential to improve this situation. The TC initiative developed by the Trusted Computing Group (TCG) takes a distributed-system-wide approach to the provisions of integrity protection for systems, resources and services. Trust established from TC is much stronger than that described above: it is about conformed behaviors of a principal such that the principal is prohibited from acting against the granted interests of other principals it serves.We consider that this stronger notion of trust from TC naturally suits the security requirements for Grid services or science collaborations. We identify and discuss in this paper a number of innovations that the TC technologies could offer for improving Grid security.

Qin Zhang,Chunrun Chen,Weizhong Qiang,Yingshu Liu

DOI: https://doi.org/10.3321/j.issn:1671-4512.2007.12.002

2007-01-01

Abstract:A network environment based sharing model for trusted computing platform, a scheme called grid trusted sharing model (GTSM) was proposed to improve the holistic security in the environment mixture of trusted and untrusted platforms. In this model, untrusted grids could use the trusted grids of trusted platform module and its core services to improve untrusted grids' participation and the trust of the coordination with the network. Three protocols, including remote agreement, key migration, verify and attestation were proposed to guarantee the security during the interaction in GTSM. The analytical results showed that the model had acceptable performance to support more sensitivity applications while delivering high security.

CHEN Wen-zhi,HUANG Wei,XIE Cheng,HE Qin-ming

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.02.016

2009-01-01

Abstract:Virtualization was introduced to increase the security of embedded devices while avoiding the shortcomings caused by the hardware-based approach such as poor flexibility,high complexity and high production cost of equipments.Virtualization platform SmartVP offers a secure system environment by the software-based approach.SmartVP partitions the computing resources on the ARM processor into two parallel sets,one for standard real-time operating system T-Kernel and the other for general-purpose operating system Linux.The trusted computing base of SmartVP is constructed by protecting the code and data of the software on T-Kernel,as well as by implementing the fundamental security services and interfaces.Both performance benchmark and applications show that SmartVP improves the security of embedded devices and reduces the implementing risk together with developing time and cost.

PAN Hai-jun,LU Kui-jun,WU Zhao-hui

DOI: https://doi.org/10.3969/j.issn.1001-3695.2005.10.015

2005-01-01

Abstract:Security is one major concern in grid computing system. Integrating trust mechanism into grid resource management can improve the reliability of grid entities' interoperation. Considering the uncertainty of trust, this paper mainly studies trust quantification, proposes a global trust quantification compute engine based on grid system and places an emphasis on compute method. Experimental results show that this method proposed is more robust on performance than the current trust compute engine.

Jingkai Mao,Haoran Zhu,Junchao Fan,Lin Li,Xiaolin Chang

2024-05-02

Abstract:The Virtual Machine (VM)-based Trusted-Execution-Environment (TEE) technology, like AMD Secure-Encrypted-Virtualization (SEV), enables the establishment of Confidential VMs (CVMs) to protect data privacy. But CVM lacks ways to provide the trust proof of its running state, degrading the user confidence of using CVM. The technology of virtual Trusted Platform Module (vTPM) can be used to generate trust proof for CVM. However, the existing vTPM-based approaches have the weaknesses like lack of a well-defined root-of-trust, lack of vTPM protection, and lack of vTPM's trust proof. These weaknesses prevent the generation of the trust proof of the CVM. This paper proposes an approach to generate the trust proof for AMD SEV-based CVM so as to ensure its security by using a secure vTPM to construct Trusted Complete Chain for the CVM (T3CVM). T3CVM consists of three components: 1) TR-Manager, as the well-defined root-of-trust, helps to build complete trust chains for CVMs; 2) CN-TPMCVM, a special CVM provides secure vTPMs; 3) CN-CDriver, an enhanced TPM driver. Our approach overcomes the weaknesses of existing approaches and enables trusted computing-based applications to run seamlessly in the trusted CVM. We perform a formal security analysis of T3CVM, and implement a prototype system to evaluate its performance.

Cryptography and Security,Software Engineering

Xu-dong HAO,Chun-xiang XU

DOI: https://doi.org/10.3969/j.issn.1009-2552.2009.09.017

2009-01-01

Abstract:As a hot topic of computing world at present,the virtualization technology can make convince to manage the computing resources and be used to cloud computing.With the growing of these technology,some security problems come out,many malicious programs are booted on the launching time of the virtualization systems,then the trusted execution technology becomes more important.This paper introduces the features and mechanism of the trusted execution technology,and analyses the central component of this technology,finally gives a conclusion for the research status and exist problems.

Xin Wan,Zhiting Xiao,Yi Ren

DOI: https://doi.org/10.1109/MINES.2012.82

2012-01-01

Abstract:A key technology of cloud computing is virtualization, which can lead to reduce the total cost and increase the application flexibility. However along with these benefits come added security challenges. The extension of Trusted Computing to virtual environments can provide secure storage and ensure system integrity. In this paper, we describe and analyze several existing virtualization of TPM (vTPM) designs: software-based vTPM, hardware-based vTPM, para-virtualized TPM and property-based vTPM and analyze each of their limitations. We believe this to be an useful exercise to help better understand and apply the technology of virtualization of TPM in real cloud computing systems.

Haibo Chen,Jieyun Chen,Wenbo Mao,Fei Yan

DOI: https://doi.org/10.1016/j.istr.2007.05.005

2007-01-01

Information Security Technical Report

Abstract:The service oriented architecture of grid computing has been thoughtfully engineered to achieve a service level virtualization: not only should a grid be a virtual machine (also known as a virtual organization, VO) of unbounded computational power and storage capacity, but also should the virtual machine be serviceable in all circumstances independent from serviceability of any of its component. At present, a grid VO as a result of service level virtualization only is more or less confined to participants from scientific computing communities, i.e., can have a limited scale. It is widely agreed that for a grid to pool resources of truly unbounded scale, commercial enterprises and in particular server-abundant financial institutions, should also “go for the grid,” i.e., open up their servers for being used by grid VO constructions. We believed that it is today's inadequate strength of the grid security practice that is the major hurdle to prevent commercial organizations from serving and participating the grid.This article presents the work of Daonity which is our attempt to strengthening grid security. We identify that a security service which we name behavior conformity be desirable for grid computing. Behavior conformity for grid computing is an assurance that ad hoc related principals (users, platforms or instruments) forming a grid VO must each act in conformity with the rules for the VO constitution. We apply trusted computing technologies to achieve two levels of virtualization: resource virtualization and platform virtualization. The former is about behavior conformity in a grid VO and the latter, that in an operating system. With these two levels of virtualization working together it is possible to build a grid of truly unbounded scale by VO including servers from commercial organizations.

Xl Gui,B Xie,Yn Li,Dp Qian

DOI: https://doi.org/10.1007/978-3-540-30207-0_60

2004-01-01

Abstract:Computational Grids need support the distributed high performance computing with security and reliability. While the fact is when malicious users apply computational resources or illegally modify their secure levels, they can get system-level data or outputs belong to other applications by running cock-horse, even more they can destroy the whole system. For solving these security problems in Grids, a Grid security model with users behaviors and trusts is introduced. And by improving the components of reputation in traditional trust [1], [2] model, a new trust model with mathematical description is presented, and the grid security infrastructure with this trust model is described.

Yuzhong Sun,Haifeng Fang,Ying Song,Lei Du,Kai Zhang,Hongyong Zang,Yaqiong Li,Yajun Yang,Ran Ao,Yongbing Huang,Yunwei Gao

DOI: https://doi.org/10.1007/s11704-009-0076-5

2010-01-01

Frontiers of Computer Science in China

Abstract:Currently, with the evolution of virtualization technology, cloud computing mode has become more and more popular. However, people still concern the issues of the runtime integrity and data security of cloud computing platform, as well as the service efficiency on such computing platform. At the same time, according to our knowledge, the design theory of the trusted virtual computing environment and its core system software for such network-based computing platform is at the exploratory stage. In this paper, we believe that efficiency and isolation are the two key proprieties of the trusted virtual computing environment. To guarantee these two proprieties, based on the design principle of splitting, customizing, reconstructing, and isolation-based enhancing to the platform, we introduce TRainbow, a novel trusted virtual computing platform developing by our research group.With the two creative mechanisms, that is, capacity flowing amongst VMs and VM-based kernel reconstructing, TRainbow provides great improvements (up to 42%) in service performance and isolated reliable computing environment for Internet-oriented, large-scale, concurrent services.

Luo Zhen,Li Zhishu,Cai Biao

DOI: https://doi.org/10.1109/iccsit.2010.5563587

2010-01-01

Abstract:During the procedure of resource discovery in Grid, a requester (consumer) may be offered several resources (providers) which identities have been verified to submit his task. How to make decision on selecting providers to complete his job reliably is an emergency. Establishing trust system is an alternative to respond the challenge. For the sake of future works in computational Grid are to refine the existing models, to define and to develop additional components, so define the trust model infrastructure for grid security module is necessity. This paper analyzes the fundamental trust requirements, proposes a trust signaling prototype and developments of our simulating trust mould which with we proposed computational model and signaling model for Grid security module is discussed at the end.

Xin Jin,Qixu Wang,Xiang Li,Xingshu Chen,Wei Wang

DOI: https://doi.org/10.26599/tst.2018.9010129

2019-01-01

Tsinghua Science & Technology

Abstract:As a foundation component of cloud computing platforms, Virtual Machines (VMs) are confronted with numerous security threats. However, existing solutions tend to focus on solving threats in a specific state of the VM. In this paper, we propose a novel VM lifecycle security protection framework based on trusted computing to solve the security threats to VMs throughout their entire lifecycle. Specifically, a concept of the VM lifecycle is presented divided up by the different active conditions of the VM. Then, a trusted computing based security protection framework is developed, which can extend the trusted relationship from trusted platform module to the VM and protect the security and reliability of the VM throughout its lifecycle. The theoretical analysis shows that our proposed framework can provide comprehensive safety to VM in all of its states. Furthermore, experiment results demonstrate that the proposed framework is feasible and achieves a higher level of security compared with some state-of-the-art schemes.