Cui Yan-Li,Zhang Xing

DOI: https://doi.org/10.1109/cnmt.2009.5374540

2009-01-01

Abstract:In the distributed environment, one important security issue is how to apply further security control to the object that is released to other terminals. The appearance of trusted computing technology has provided an effective solution for this issue in the distributed environment. At the same time, through combining trusted computing technology with the strong isolation and sharing characteristic provided by virtual machine technology has further increased the security and the flexibility of distributed access control. Therefore, this paper uses trusted computing technology to improve the security of the terminal in carrying out the distributed access control, designs a trusted terminal architecture that bases on the trusted computing technology and the virtual machine technology as well as a enhanced mode that suits in distributed access control, and on this basis, analyzes the security of system design.

Rui Chang,Liehui Jiang,Wenzhi Chen,Yaobin Xie,Zhongyong Lu

DOI: https://doi.org/10.23919/tst.2017.8030534

2017-01-01

Tsinghua Science & Technology

Abstract:The run-time security guarantee is a hotspot in current cyberspace security research, especially on embedded terminals, such as smart hardware as well as wearable and mobile devices. Typically, these devices use universal hardware and software to connect with public networks via the Internet, and are probably open to security threats from Trojan viruses and other malware. As a result, the security of sensitive personal data is threatened and economic interests in the industry are compromised. To address the run-time security problems efficiently, first, a TrustEnclave-based secure architecture is proposed, and the trusted execution environment is constructed by hardware isolation technology. Then the prototype system is implemented on real TrustZone-enabled hardware devices. Finally, both analytical and experimental evaluations are provided. The experimental results demonstrate the effectiveness and feasibility of the proposed security scheme.

Yuxia Cheng,Qing Wu,Bei Wang,Wenzhi Chen

DOI: https://doi.org/10.1007/978-3-319-69471-9_4

2017-01-01

Abstract:Protecting data security and privacy is one of the top concerns in the public cloud. As the cloud infrastructure is complex, and it is difficult for cloud users to gain trust. Particularly, how to guarantee the confidentiality and integrity of in-memory user private data in untrusted cloud faces big challenges. The in-memory data is typically used for online processing that requires high performance and plaintext access in CPU, therefore simple data encryption is infeasible for in-memory data security protection. In this paper, we propose a secure in-memory data cache scheme based on the memcached key-value store system and leverage the new trusted Intel SGX processors to protect sensitive operations. Firstly, we build a secure enclave and design a trusted channel protocol using remote attestation mechanism. Secondly, we propose a cache server partitioning method that decouples the sensitive key-value operations with enclave protection. Thirdly, we implement a secure client library to maintain the original cache semantics for application compatibility. The experimental result showed that the proposed solutions achieves comparable performance with the traditional key-value store systems, while improves the level of data security in untrusted cloud.

Yuning Zheng,Sheng Hong,Jun Wang,Yuejiao Zhang,Bin Zhang

DOI: https://doi.org/10.1007/s12652-021-03577-z

IF: 3.662

2021-11-20

Journal of Ambient Intelligence and Humanized Computing

Abstract:With the continuous development of information technology, the amount of data in information systems continues to increase. Big data has become an inevitable trend in the development of information technology, and the problems faced by the secure storage of big data have also become problems that must be solved. On the one hand, the research in this paper meets the storage requirements of unstructured massive data. On the other hand, it applies digital certificate authentication technology to realize storage security identity authentication based on digital certificate, and solves the application problem of high-security identity authentication in distributed storage. The innovation of this paper is to use the corresponding virtual storage space mapping algorithm to realize the unified management of resource pool. And before data transmission, the digital certificate authentication method is used to realize the authority control of the storage resource pool. This paper has completed the design and implementation of the distributed secure storage system, and completed the related testing and verification work, which significantly improved the performance of data storage and solved the problem of big data secure storage.

computer science, information systems,telecommunications, artificial intelligence

CHEN Wen-zhi,HUANG Wei,XIE Cheng,HE Qin-ming

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.02.016

2009-01-01

Abstract:Virtualization was introduced to increase the security of embedded devices while avoiding the shortcomings caused by the hardware-based approach such as poor flexibility,high complexity and high production cost of equipments.Virtualization platform SmartVP offers a secure system environment by the software-based approach.SmartVP partitions the computing resources on the ARM processor into two parallel sets,one for standard real-time operating system T-Kernel and the other for general-purpose operating system Linux.The trusted computing base of SmartVP is constructed by protecting the code and data of the software on T-Kernel,as well as by implementing the fundamental security services and interfaces.Both performance benchmark and applications show that SmartVP improves the security of embedded devices and reduces the implementing risk together with developing time and cost.

Rui Chang,Liehui Jiang,Wenzhi Chen,Yaobin Xie,Zhongyong Lu

2016-01-01

Abstract:The run-time security guarantee is a hotspot in current cyberspace security research, especially on embedded terminals, e.g., smart hardware, wearable devices, mobile devices. Typically, these devices use universal hardware and software to connect with public network by internet, and are probably open to security threats from Trojan, virus and other malware. As a result, not only personal sensitive data is threatened, economic interests in industry are also compromised. To address the run-time security problems efficiently, first a TrustEnclave-based secure architecture is proposed, and the trusted execution environment is constructed by hardware isolation technology. Then the prototype system is implemented on real TrustZone-enabled hardware devices. Last, both analytical and experimental evaluations are given in the end. The experimental results demonstrate that the proposed security scheme is effective and feasible.

MA Hong-peng,LI Xing,NI Qing-jian,XING Han-cheng

DOI: https://doi.org/10.3969/j.issn.1007-130X.2006.10.010

2006-01-01

Abstract:The variety of storage systems makes the integration of storage systems difficult. As a main development tendency of the storage technology, storage virtualization can solve the problem very well. First, this paper presents a virtual storage model with three virtual layers based on the Web Services technology. Second, the design and implementation of the network-based virtual storage system is discussed in detail. Finally, experiences show that not only the manageability and practicality are improved, but also the extensibility and efficiency are guaranteed.

TAN Zhiyong,SI Tiange,LIU Ouo,DAI Yiqi

DOI: https://doi.org/10.3321/j.issn:1000-0054.2009.07.023

2009-01-01

Abstract:A trusted computing model was developed for the non-local-storage characteristics of the server-end storage computer architecture. The model achieves high flexibility and scalability by replacing the original trusted platform module (TPM) hardware with a software module implemented on the server. The model ensures the security of the computing platform by establishing a complete trust chain from the beginning of the boot stage of the client operating system. Implementation of a prototype system shows that since the server measures the trust of all clients, a security strategy can be formulated to implement real trustworthiness on the entire local area network.

Yue-hua Dai,Xiaoguang Wang,Yi Shi,Jianbao Ren,Yong Qi

DOI: https://doi.org/10.1109/iccchina.2012.6356995

2012-01-01

Abstract:The use of virtualization in cloud computing is becoming more and more popular. Cloud service providers leverage virtualization technology to multiplex hardware resource, consolidate servers, and provide a rounded executing environment to remote cloud users. However, the current executing environment the cloud provides is not trustable. For a user's computing environment faces threats from other malicious cloud users who aim at attacking the whole underlying virtualization software (virtual machine monitor, VMM, or hypervisor). In this paper, we make an analysis of the potential threat to a commodity hyper-visor, and propose architecture for safe executing environment on hardware-sharing platform. The main ideas of our architecture are: removal of interaction between hypervisor and executing environment; attestation of the initial environment state to remote user. To prove the effectiveness of our architecture, we build a prototype system which can create multiple secure isolated executing environment on current multi-core x86 hardware. The final evaluation shows that with current commodity virtualization techniques, we can provide a safe executing environment for remote cloud users with no performance overhead.

Xiaoguang Wang,Yi Shi,Yuehua Dai,Yong Qi,Jianbao Ren,Yu Xuan

DOI: https://doi.org/10.4304/jcp.9.10.2303-2314

2014-01-01

Journal of Computers

Abstract:The Infrastructure as a Service (IaaS) cloud computing model is widely used in current IT industry, providing the cloud users virtual machines as the executing environment. However, current executing environment the cloud provided is not trustworthy. For a user's executing environment faces threats from malicious cloud users who aim at attacking the underlying virtualization software (virtual machine monitor, VMM, or hypervisor). In this paper, we first make an analysis of the potential threats to a commodity hypervisor, and then propose architecture to build a more trustworthy executing environment for IaaS cloud. The main ideas of our architecture are: removing interaction between hypervisor and the exposed executing environment, enhancing platform data secrecy as well as providing feature rich environment attestation. To prove the effectiveness of our architecture, we build a prototype system, named TrustOSV, which can host multiple trustworthy isolated computing environments on multi-core x86 hardware. The final evaluation shows that TrustOSV can provide enhanced security guarantees to the exposed VMs at modest cost.

赵阳,刘明芳,林曦君

DOI: https://doi.org/10.3969/j.issn.1671-0428.2013.03.004

IF: 5.105

2013-01-01

Computers & Security

Abstract:With the development of cloud computing, virtualization technology, interaction in virtual machines on the same physical host also encounters hitherto unknown security problem. This paper is based on trusted computing, using shared memory mechanism based on KVM, applies dedicated security trusted pipeline, and uses trusted measurement to verify the authenticity and reliability of two virtual machines. By encrypting memory pseudo address, it isolates other virtual machine except the interaction of the two sides, and guarantees the information trusted and security during the communication process. At last, we analyze and summarize the method.

Ma Xianzhang,Teng Minggui,Wu Xiaotao

DOI: https://doi.org/10.3969/j.issn.1674-909X.2010.02.001

2010-01-01

Abstract:Currently Electronic Information System(EIS) is not yet self-control and independent.It is based on Microsoft software architecture and non open source,which presents great hidden security trouble due to lack of control of bottom details.Considering the development of trusted computing technology and our hardware and software level,this paper proposes that EIS could be constructed based on trusted computing infrastructure in order to increase its security and reliability.

Mingqian Wang,Wangli Kou,Depeng Zhi,Kun Han,H. Cui,Lin Ni

DOI: https://doi.org/10.1109/acctcs53867.2022.00030

2022-02-01

Abstract:With the development of Internet technology, the rapid growth of data volume strongly promotes the construction of data centers, which also makes the security threats to data centers more and more serious. The architecture of the internal network of the data center has changed from the traditional IT architecture to virtualization, hybrid cloud and containerization, and the security isolation inside the data center has become more and more difficult. Aiming at the isolation of the internal network of the data center, the paper builds a more reliable system with the help of the zero-trust thought. On the basis of analyzing the key technologies of micro-isolation and constructing a micro-isolation system, we design a zero-trust security architecture based on micro-isolation propose a zero-trust security system for data center based on micro-isolation, and provides a set of security isolation scheme for the internal network of the data center.

Computer Science,Engineering

Xu-dong HAO,Chun-xiang XU

DOI: https://doi.org/10.3969/j.issn.1009-2552.2009.09.017

2009-01-01

Abstract:As a hot topic of computing world at present,the virtualization technology can make convince to manage the computing resources and be used to cloud computing.With the growing of these technology,some security problems come out,many malicious programs are booted on the launching time of the virtualization systems,then the trusted execution technology becomes more important.This paper introduces the features and mechanism of the trusted execution technology,and analyses the central component of this technology,finally gives a conclusion for the research status and exist problems.

LIU Yu-tao,CHEN Hai-bo

DOI: https://doi.org/10.11959/j.issn.2096-109x.2016.00091

2016-01-01

Abstract:The virtualization security has increasingly drawn widespread attention with the spread of cloud computing in recent years.Thanks to another level of indirection,virtualization can provide stronger isolation mechanisms,as well as bottom-up security services for upper-level software.On the other side,the extra indirection brings complexity and overhead as well,which poses huge challenges.A series of recent representative work done by the institute of parallel and distributed system shanghai jiaotong university,including providing security services of trusted execution environment,virtual machine monitoring,intra-domain isolation,as well as optimizing trusted computing base and cross-world calls in the virtualization environment.Finally the problems and directions in the space of virtualization security were summarized.

Xin Yang,Qingni Shen,Yahui Yang,Sihan Qing

DOI: https://doi.org/10.1007/978-3-642-24403-2_11

2011-01-01

Abstract:Cloud security has gained increasingly emphasis in the research community, with much focus primary concentrated on how to secure the operation system and virtual machine on which cloud system runs on. We take an alternative perspective to consider the problem of building a secure cloud storage service on top of a public cloud infrastructure where the service provider is not completely trusted by the customer. So, it is necessary to put cipher text into the public cloud. We describe an architecture based on Trusted Platform Module and the client of cloud storage system to help manage the symmetric keys used for encrypting data in the public cloud and the asymmetric keys used for encrypting symmetric keys. The key management mechanism includes how to store keys, how to backup keys, and how to share keys. Based on the HDFS (Hadoop Distributed File System), we put a way of key management into practice, and survey the benefits that such an infrastructure will provide to cloud users and providers, and we also survey the time cost it will bring to us.

Qingni Shen,Xin Yang,Xi Yu,Pengfei Sun,Yahui Yang,Zhonghai Wu

DOI: https://doi.org/10.1109/APSCC.2011.56

2011-01-01

Abstract:Cloud Storage has been turned into a common platform shared among varied organizations, even market competitors, thus has raised many security concerns. Most of the current researches focus on data encryption and decryption, in this paper, however, we take an alternative perspective - access control, to design and implement a secure solution for cloud storage, aiming to solve both the data isolation problem, which ensures that data in storage cloud owned by one company wouldn't be crossly accessed by other ones, and data collaboration problem, which makes data sharing between different organizations through storage cloud possible while still under the restriction of company data isolation. Besides, we have presented a pretty flexible security policy which could be easily customized to fit the variant security requirements in different cooperation. Finally, a prototype has been implemented based on HDFS by this policy, and the time cost is given and evaluated. © 2011 IEEE.

LU Zhenyu,PAN Li,NI Yousheng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.03.057

2006-01-01

Abstract:Nowadays,methods of network attack change significantly from one year to the next.In this situation,there comes a new technology called secure network GAP,which cuts off the direct connection in datalink layer,exchanges data in its own control,and therefore it resolves the conflict between secure isolation and data exchange effectively.This paper describes a method of implementing network secure isolation and data exchange system based on USB,which has been promoted in the network construction of Shanghai E-government network.

Long Qin,Zeng Feng-ping,Wu Si-lian,Pan Ai-min

DOI: https://doi.org/10.1007/bf02828610

2008-01-01

Wuhan University Journal of Natural Sciences

Abstract:We present a secure storage system named HermitFS against many types of attacks. HermitFS uses strong cryptography algorithms and a secure protocol to secure the data from the time it is written to the time an authorized user accesses it. Our experimental results and secure analysis show that HermitFS can protect information from unauthorized access in any open environment with little penalty of data overhead and acceptable performance.

Cong Wang,Qian Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/iwqos.2009.5201385

2009-01-01

Abstract:Cloud computing has been envisioned as the next-generation architecture of IT enterprise. In contrast to traditional solutions, where the IT services are under proper physical, logical and personnel controls, cloud computing moves the application software and databases to the large data centers, where the management of the data and services may not be fully trustworthy. This unique attribute, however, poses many new security challenges which have not been well understood. In this article, we focus on cloud data storage security, which has always been an important aspect of quality of service. To ensure the correctness of users' data in the cloud, we propose an effective and flexible distributed scheme with two salient features, opposing to its predecessors. By utilizing the homomorphic token with distributed verification of erasure-coded data, our scheme achieves the integration of storage correctness insurance and data error localization, i.e., the identification of misbehaving server (s). Unlike most prior works, the new scheme further supports secure and efficient dynamic operations on data blocks, including: data update, delete and append. Extensive security and performance analysis shows that the proposed scheme is highly efficient and resilient against Byzantine failure, malicious data modification attack, and even server colluding attacks.